Re: [Lucrative-L] lucrative accounts revisited
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, April 24, 2003, at 10:28 AM, R. A. Hettinga wrote:
... Since we're literally moving title to an asset around the net instead of changing records in a database somewhere (remember the double-spend database at the mint is only *redeemed* notes, not copies of what's out there), ...
I am taking a different approach, where the server stores RIPEMD-160 hashes of all the redeemable coins "out there." It completely forgets redeemed coins. Because the server only stores hashes, the entire contents of the server database could literally be published on the web in streaming live form without seriously reducing the security of the system. Of course, this would be stupid because it would needlessly invite collision attacks, but in principle the idea of avoiding security through obscurity could be applied to the database itself. But then, why not hide the hash file behind a Unix password, and behind an AES-256 key while we're at it? :-) So a coin consists of an lseek position in the server data file, 256 bits of random gibberish, and 64 bits representing the amount. When you present the coin to the server, the server hashes it and looks at the given lseek position. If it matches, it manufactures a new coin at some other lseek place and sends it to you. You store the coin, compute the RIPEMD-160 hash yourself, and send that to the server, at which point it kills the old coin and enlivens the new coin. Obviously all the smart folks who talk about storing only the redeemed notes and even using probabilistic double-spend detection methods have reasons for doing so. I expect my scheme will be slapped down forthwith. :-)
Finally, I would also strongly recommend that we try like hell not to invent new cryptographic conventions, much less new cryptography, here.
You're preaching to the choir here. I haven't seen any snake oil proposals lately (unless I just gave one above. :-)
First, crypto is hard. :-), and our chances of actually inventing something new that isn't trivially broken on its face is even harder. Obviously, if you're one of those big swinging di-, er, big giant heads, who actually do the math, understand what cryptography protocols do, and see something that's wrong, or that you can do better, that's different, but there's a whole lot of time that can be wasted in reinventing the wheel here that won't get us to code that earns money. ...
Good C libraries for existing crypto protocols are always welcome. I'm just getting Rijndael, RSA, RIPEMD, BBS, etc. into a shape I like. Mostly, I don't like routines that declare *anything* on the stack -- all of my working space is allocated on a single 4k mlocked page up front and Mersenne-twisted before munlock and free.
Second, and in that vein, there is a whole published language of crypto that's already being used, and if we don't use it from the outset, nobody will understand us later if we get stuck. In particular, a trusted third party, or trusted entity, is "Trent", for some reason, probably because Schneier had it in Applied Cryptography 10 or 12 years ago. :-).
Ah, Marvin for "medium" considered non-standard. :-) OK, Trent it is.
We should change nomenclature only when we've added to it, yes?
Believe me, we'll get there, especially after we're actually operating this code the way we want it to run, at a profit, in an open market. That's certainly something that nobody's done before, :-), and we're going to have our hands full when we make it happen.
Truly. - -- Patrick http://fexl.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPqf+F1A7g7bodUwLEQISIgCfTVhs4Q+8xc4w5xuH1z5+DPMb/EAAoK/j al4Clq6VA/dR5aFIb0ZxPsEe =pNFb -----END PGP SIGNATURE-----
At 11:09 AM -0400 4/24/03, Patrick Chkoreff wrote:
I expect my scheme will be slapped down forthwith. :-)
<Baff-Baff> :-) Again, the *only* thing you need to prevent double-spending is a copy of the spent coins. Period. Anything else costs money. Transaction cost is everything. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thursday, April 24, 2003, at 10:57 AM, R. A. Hettinga wrote:
At 11:09 AM -0400 4/24/03, Patrick Chkoreff wrote:
I expect my scheme will be slapped down forthwith. :-)
<Baff-Baff> :-)
Again, the *only* thing you need to prevent double-spending is a copy of the spent coins. Period.
Anything else costs money.
For on-line clearing, a copy of the spent "coin" stops double-spending. I would not call it a "coin," however. We should reserve the word "coin" for things which behave like coins, e.g, things that clear locally without presentation to an issuer or other entity. For off-line clearing, double-spending is a significant and hard problem. Perhaps unsolvable. If so, then there are no digital coins and never will be. (I don't count token-based systems, using smartcards or "observers," as digital coins.) Everything connected with money costs money, by the way. Even keeping copies and comparing them to newly-presented exemplars. --Tim May "The great object is that every man be armed and everyone who is able may have a gun." --Patrick Henry "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:24 PM -0700 4/24/03, Tim May arose to smite linguistic heresy:
For on-line clearing, a copy of the spent "coin" stops double-spending.
Indeed. That was my entire point. Thank you for repeating it. Again. As for the following...
I would not call it a "coin," however. We should reserve the word "coin" for things which behave like coins, e.g, things that clear locally without presentation to an issuer or other entity.
"We" should, but I won't, though I prefer using "coins" to mean something even smaller -- my original use in this thread a lamentable and reflexive use from the DigiCash days -- but I think if we're copying, or, more properly, redeeming and reissuing, something to that controls ownership of an asset, something that is supposed to reside, physically, in a single place on the net at any one time, it's more like a coin, or a subway token, or a note, or a bearer bond, than anything else used to move money around, say, book-entries (debits and credits) tunneled using SSL, for instance. And, no, I don't think the use of "coin" or "note", much less "certificate", is even close to the modern mis-use of the words "signature" or "certificate" to describe cryptographic authentication, because there's a whole lot of difference between those things and the holographic, supposedly biometric, writings that we call "signatures" in meatspace. But, we say "signature", anyway. Hopefully we'll re-load "certificate", someday... So, calling a financial instrument using a Chaumian blind-signature financial cryptography protocol a "note", or "certificate", is fine. As for "coin", while we were thinking about this stuff a while back, I decided that streaming protocols, using bulk-issued MicroMint, and then Rabin Signature, "tokens", tested for double-spending with statistical sampling, could execute, clear and settle at a low enough cost enough to be called a "coin". Chaumian or other blind signature "notes" have to be checked on every transaction, so they are, by definition, more expensive to handle individually, just like paper notes are, compared to a coin.
For off-line clearing, double-spending is a significant and hard problem. Perhaps unsolvable.
Amen.
If so, then there are no digital coins and never will be.
If you say so, Tim. :-).
(I don't count token-based systems, using smartcards or "observers," as digital coins.)
I think "token" is also a word subject to overloading. I would call "token" a superset of "coin" and "note", myself, to be used to generalize things. In current usage in the ATM or meatspace electronic payment business, "token" means the thing you carry around to put into an electronic "terminal" as one "factor" in a two-factor transaction process. A shared secret, like a "Personal Identification Number" being the second "factor". "Three factor" authentication, of course, uses a "signature", right? ;-).
Everything connected with money costs money, by the way. Even keeping copies and comparing them to newly-presented exemplars.
Certainly if you want to dance your nits on the head of a pin, yes, Tim, knock yourself out. You certainly seem better catching and wrangling them then I am. On the net full of scientists, former or otherwise, the price of error, no matter how small, is bandwidth... Of *course*, everything costs money. I plead a Dirksenist brevity, in the meantime. Cheers, RAH "A coin here, and a coin there..." -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqhUZMPxH8jf3ohaEQLtBQCfXmO3HAqoMd0QBywCm2mdx3Xt9GIAnjgo guMk67rqIyo6KMifU4IVHhii =D1bN -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thursday, April 24, 2003, at 01:57 PM, R. A. Hettinga wrote:
Again, the *only* thing you need to prevent double-spending is a copy of the spent coins. Period.
Alternatively, I think a copy of the non-spent coins will do the trick also. So in your scenario, the predicate valuable(x) = valid_crypto_stamp(x) & not element(x, spent_coins). In my scenario, valuable(x) = element(x, unspent_coins). Why store the large set of spent coins when you can store the much smaller set of unspent coins? There's no security issue I don't think. In my scheme the bad guys can torture you and get access to the hash file, yes, but what's the point? They still have to mount a multi-million dollar collision attack. It's much easier just to seize the gold in the vaults than fiddle around with some pathetic bits on a server. Or if the digital coins are backed by something like e-bullion they can just torture you for the e-bullion password.
Anything else costs money.
Transaction cost is everything.
I don't understand your point here. Why are my transaction costs greater than yours? They might even be less. The disk usage might be less, too. -- Patrick http://fexl.com
At 3:52 PM -0400 4/24/03, Patrick Chkoreff wrote:
Alternatively, I think a copy of the non-spent coins will do the trick also.
Patrick, no offense, but have you actually *read* this stuff? You *delete* the spent coins after some pre-arranged period. They're useless. You don't *care* about the unspent coins. You're going to *have* to keep the spent coins to prevent double spending. Get it? Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thursday, April 24, 2003, at 04:17 PM, R. A. Hettinga wrote:
At 3:52 PM -0400 4/24/03, Patrick Chkoreff wrote:
Alternatively, I think a copy of the non-spent coins will do the trick also.
Patrick, no offense, but have you actually *read* this stuff?
You *delete* the spent coins after some pre-arranged period. They're useless.
You don't *care* about the unspent coins. You're going to *have* to keep the spent coins to prevent double spending.
Get it?
No, which indicates there is one huge unshared premise at work here. I assert that I can prevent double spending without keeping the spent coins, even for a limited time period. It's simple. Alice gives Bob a coin X. Bob immediately swaps coin X for a brand new coin Y. The server deletes coin X completely, forgetting the bits with extreme prejudice. Now Alice tries to give Charles the same coin X. Charles immediately attempts to swap coin X for a new one. The server tries to look up X in the set of valid coins and does not find it. The server says "Sorry, Charlie, that is not a valid coin." The whole thing depends on the recipient doing an immediate swap. But that's no big requirement, because the recipient must contact the server to see if it's a valid coin anyway. So you just go ahead and do a swap at that point. -- Patrick http://fexl.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 4:51 PM -0400 4/24/03, Patrick Chkoreff wrote:
No, which indicates there is one huge unshared premise at work here.
Okay. I think I understand what's happened, here. It's a function of whether or not you're blinding, and the blinding protocol you're using. If you're doing Chaumian blinding, part of the double-spending prevention is bound up in the blinding protocol itself. Since Lucrative is done in Wagner blinding, maybe that's not the case, but I wouldn't think so, on a first approximation. Wagner's too smart. :-). For non-blinded notes, you still keep a copy of the ones that come in, (or a sample of them, for "streaming" coins where a large number of coins are statistically dependent, like between IP addresses in a P2P streaming network) but you *still* you don't care about the ones that haven't come back yet. Because, and note this, one more time: they're not *spent* yet. You're trying to *prove* double spending, remember? If someone comes back with a note you *don't* have, it may make for a smaller list, and, hey, if it's not on your list, you don't let it in. But you want to keep some kind of *proof* that the coin's already come in, besides simply saying, "nope. Not here". Instead, you want to say things like "nope. this one's double spent.", and provide whatever information you've agreed to as proof. (timestamp, or IP address, or whatever. Not pretty) That's why Chaum did what he did. You munge the two hashes you now have in double-spent note and out pops the *signature* of the double spender, and so you only have to keep the notes that have come in. You can't even *decipher* the notes you've issued, because, hey, they're blinded. They're complete gibberish to the mint, and equally useless. The blinding happens on the client with a secret blinding factor, right? Now I have to go back and look at what Wagner said myself :-), and figure out if he did something like that as well. I expect that by "blinding", he meant the getting same kind of result that Chaum was after, or people wouldn't have been offering it as an alternative to Chaum all these years. Wagner did it with Diffie-Hellman, so the math operators are different than RSA, but I bet you get the same effect, or again, people wouldn't call it "blinding." There's certainly something to be said for learning by answering questions, and I thank you for giving me the opportunity for personal growth ;-), but, really, Patrick, go *read* these protocols to see how they work before proposing new ones. Most of the time, people haven't the bandwidth to repeat what's been said, on especially on cypherpunks in particular, and on the net in general, many times before. So, again I ask, Patrick, have you gone and looked at blind signature protocols in the CRC Handbook of Applied Crypto? or Applied Cryptography? The CRC book is more technical than Applied Crypto, which is the more readable of the two, but the CRC book is actually available in PDF on the net, for free, if you go look for it. Google is Your Friend, Patrick, and Crypto is Hard. Don't invent any if you really don't have to. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqhkEsPxH8jf3ohaEQKqjwCgmMF7t/K/Ljitmz8+MWPhYlrMkiwAoMZX oIstn0atLxrPvXzQZWTP2rkT =8voZ -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
At 04:17 PM 04/24/2003 -0400, R. A. Hettinga wrote:
You *delete* the spent coins after some pre-arranged period. They're useless.
That only works if you've modified your protocols to identify the ages of coins, for instance by rotating what signature parameters the bank uses. Otherwise somebody can walk in with a used P+1-old coin and spend it again. If you do modify the protocols to identify coin or signature batches, and delete older batches of coins, you have to also refuse to cash them, like checks that say "Not valid after 90 days" or whatever. This implies that users will be required to come in and exchange coins every so often before they expire, or lose their money. For most markets, this may be ok with appropriate time periods, but for other applications, it might not be. One alternative is to keep only the new batches in high-speed storage, and if somebody comes in with a bunch of dusty old coins, you say "eh, haven't seen one-a them in a long time, lets' see what we've got back in the back room", and go drag out the punch cards and 9-track-tape with the old databases on them. How expensive is this? Well, the going rate for disks is about $1/GB, and I forget how big the coins are but they're unlikely to be over 1KB, so that's about 1 microbuck per coin, plus some labor cost for fetching old records, and a $1000 stack of drives holds a billion spent coins. CDRs are more trouble to handle, but only cost about $0.25/GB; I'd expect the write-once DVD market to be similar until blue-ray gets common.
At 10:38 PM -0700 4/24/03, Bill Stewart wrote:
If you do modify the protocols to identify coin or signature batches, and delete older batches of coins, you have to also refuse to cash them, like checks that say "Not valid after 90 days" or whatever.
Yup, and I'd prefer signature batches, I think. You can easily determine whether which signature was used at the time of redemption. As to the duration of a given tranche, or epoch, or whatever, that would be pre-announced, and probably calculable by the number of signed coins in a given batch, and, yes, you wouldn't have to be absolute in your redemption-expiry policy, particularly if there's still an outstanding balance in an epoch's reserve account. :-). Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
If the coins offer privacy, then unspent coins are unlinkable when the same coin is deposited, so keeping just unspent coins doesn't work. Spent coins on the other hand have their blinding removed, so you notice double spending by looking at spent coins. (There are zero-knowledge proofs of non-set membership as proposed for use in ecash by Sander and Ta-Shma [1], but I think these are quite computationally expensive.) Adam [1] "Auditable, Anonymous Electronic Cash", Tomas Sander, Amnon Ta-Shma, Crypto 99 http://citeseer.nj.nec.com/sander98auditable.html On Thu, Apr 24, 2003 at 03:52:28PM -0400, Patrick Chkoreff wrote:
On Thursday, April 24, 2003, at 01:57 PM, R. A. Hettinga wrote:
Again, the *only* thing you need to prevent double-spending is a copy of the spent coins. Period.
Alternatively, I think a copy of the non-spent coins will do the trick also.
So in your scenario, the predicate valuable(x) = valid_crypto_stamp(x) & not element(x, spent_coins).
In my scenario, valuable(x) = element(x, unspent_coins).
Why store the large set of spent coins when you can store the much smaller set of unspent coins?
There's no security issue I don't think. In my scheme the bad guys can torture you and get access to the hash file, yes, but what's the point? They still have to mount a multi-million dollar collision attack. It's much easier just to seize the gold in the vaults than fiddle around with some pathetic bits on a server. Or if the digital coins are backed by something like e-bullion they can just torture you for the e-bullion password.
Anything else costs money.
Transaction cost is everything.
I don't understand your point here. Why are my transaction costs greater than yours? They might even be less. The disk usage might be less, too.
-- Patrick http://fexl.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, April 24, 2003, at 05:27 PM, Adam Back wrote:
If the coins offer privacy, then unspent coins are unlinkable when the same coin is deposited, so keeping just unspent coins doesn't work.
Spent coins on the other hand have their blinding removed, so you notice double spending by looking at spent coins.
(There are zero-knowledge proofs of non-set membership as proposed for use in ecash by Sander and Ta-Shma [1], but I think these are quite computationally expensive.)
Although I have read some material on blinding etc., I do not see a need for it in my system. At Tim May's suggestion I shall avoid using the word "coin" and use the more accurate financial term "note" instead. Although technically a note in my system is <32-bit file position><256-bit random gibberish><64-bit amount>, I'll use a simpler and abbreviated decimal notation with dashes in the quick example that follows. Alice has a note "0247-223235898-00032" that entitles her to 32 grams of e-bullion. She decides to take delivery. She presents the coin to the server and the server computes the RIPEMD-160 hash. It looks at record number 247 in the data file and sees if the hash stored there matches the computed hash. If so, the server extinguishes the coin (randomizing the record and chaining it to the free list) and spends 32 grams of e-bullion to the account that Alice designates, no questions asked. (Obviously you have to handle any errors in the e-bullion spend - -- don't extinguish the coin if the spend fails.) Now Alice tries to pull a fast one. She presents that same note "0247-223235898-00032" to Bob. Bob decides to swap the note for a new one. He presents it to the server. The server computes the RIPEMD-160 hash. It looks at record number 247 in the data file and sees that the record is on the free list. It rejects Bob's request. Double spend prevented. Now perhaps in the meantime the server has decided to reuse record 247. In that case there is a brand new note hash sitting there, and it is astronomically unlikely to match the hash of the "0247-223235898-00032" note. (I have considered issuing serial numbers that are never reused but for some vague reason I don't quite like that. It might not be a big deal.) Again, double spend prevented. Quite simply, the absence of a match indicates a spent coin, or one that was never issued in the first place. It's very much like GoldMoney payment keys, which simply say YES or NO when you try to redeem them, with no information given about whether it was EVER a valid payment key. If there is any problem of "linkability" in this scheme, please help me see it. The server does not log any socket events or transaction records of any kind. OK, if someone put a gun to my head and said "put in some code to log everything" then they might be able to discern some pattern like "this coin was issued to this IP address, and then three days later that coin was swapped from this other IP address." OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that. There is no linkability of personal identity in the system because there is no personal identity in the system, period. The server has no use for a public key from any user. - -- Patrick http://fexl.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPqhhW1A7g7bodUwLEQL63gCg91lfShbCyCGQ68Bn2LAeY3Cv6wkAnAtR lEhm4j76EzsgzU/sdrm6TNbV =4OMx -----END PGP SIGNATURE-----
Although I have read some material on blinding etc., I do not see a need for it in my system.
Your system as described is not in the slightest bit anonymous or private. Or at least the user has no cryptographic assurances that the server is not logging everything, or that some adversary isn't logging everything that goes over the connection even though the server is not.
OK, if someone put a gun to my head and said "put in some code to log everything" then they might be able to discern some pattern like "this coin was issued to this IP address, and then three days later that coin was swapped from this other IP address."
Right that is the linkability problem. Plus of course as mentioned above the user has no reason to trust the server. Or at least he would prefer a protocol where he did not need to trust the server.
OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that.
That's where blinding comes into the picture. Probably the simplest one to understand is Chaum's original scheme, though there are others such as Brands, and Wagner's online system. serial-no = (b^e).[R||h(R)] mod n proto-coin = serial-no^d mod n = b.[R||h(R)]^d mod n coin = proto-coin . b^-1 mod n = [R||h(R)]^d mod n check-valid-coin(c) = c^e mod n is of form [x||h(x)] check-double-spent(c) = bank records spent coins trace-payee(c) = payer gives bank b, bank records proto-coins as well so a blind signature in this scheme is that the bank has an RSA modules n, private key d, and public exponent e. The user sends b^e.M mod n to the bank (where b is a random blinding factor), the bank computes (b^e.M)^d mod n (a standard RSA siganture) and sends back to the user. The user then unblinds by dividing by b, which works because: (b^e.M)^d = b^{e.d}.M^d = b.M^d mod n and b.M^d/b = M^d mod n plus some other detais to avoid existential forgeries. and so the bank can recognize it's signature later on a coin (because it's a valid RSA signature made with it's private key d), but it won't know which unspent coin it corresponds to because it doesn't know the blinding factors b. Adam
On Thursday, April 24, 2003, at 06:47 PM, Adam Back wrote:
OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that.
That's where blinding comes into the picture. ...
This is helpful, Adam, thanks. Bill Frantz wrote:
The server is in a position to keep track of the money transfer by recording the serial numbers of the old and new coins as the exchanges take place. The server is perfectly capable of making the linkage. If you don't trust the server, then you must believe that all your transfers are know.
This is good too, Bill. All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place. That I can see. I was starting to get the impression that somehow the Chaumian techniques were attempting to address the problem of preventing double spends even when doing a long chain of spends without contact with a server. In fact they are trying to address a more modest goal than that, and double spends are still something that must be detected by contact with the server. With the Chaumian techniques, the random coin bits are generated on the user side: http://munitions.vipul.net/documents/cyphernomicon/chapter12/12.5.html
"The way the process works, with the blinding, is like this. The user chooses a random x. ...
So naturally the server cannot keep a list of the valid coins because their specific bits appear to be invented out there in the wild. Hence keeping the list of spent coins, since keeping a list of unspent coins is clearly impossible. Well hell, that wasn't so hard. -- Patrick http://fexl.com
On Thu, Apr 24, 2003 at 11:10:20PM -0400, Patrick Chkoreff wrote:
All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place.
That I can see. I was starting to get the impression that somehow the Chaumian techniques were attempting to address the problem of preventing double spends even when doing a long chain of spends without contact with a server. In fact they are trying to address a more modest goal than that, and double spends are still something that must be detected by contact with the server.
So actually using Brands credentials which have an off-line fraud tracing option you could if you wished exchange coins peer-to-peer amongst users, who eventually after some number of peer-to-peer spends deposit their coin back at the bank. The bank checks deposited coins and can tell which users double spent coins if any after the fact. What you do about double spending when you detect a given user has done it is a policy question for the bank -- eg fine user, prosecute user for fraud to recuperate costs etc. (You can also use the same protocol for online checking, so the recipient has the choice of covenience of using peer-to-peer without going via the bank, or the choice to deposit now and get a fresh coin and be sure there won't be any dispute resolution later.) Adam
With the Chaumian techniques, the random coin bits are generated on the user side:
http://munitions.vipul.net/documents/cyphernomicon/chapter12/12.5.html
"The way the process works, with the blinding, is like this. The user chooses a random x. ...
So naturally the server cannot keep a list of the valid coins because their specific bits appear to be invented out there in the wild. Hence keeping the list of spent coins, since keeping a list of unspent coins is clearly impossible.
Well hell, that wasn't so hard.
-- Patrick http://fexl.com
At 04:15 AM 04/25/2003 +0100, Adam Back wrote:
On Thu, Apr 24, 2003 at 11:10:20PM -0400, Patrick Chkoreff wrote:
All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place. ...
The bank checks deposited coins and can tell which users double spent coins if any after the fact. What you do about double spending when you detect a given user has done it is a policy question for the bank -- eg fine user, prosecute user for fraud to recuperate costs etc.
As Doug Barnes put it, if your algorithm has to exercise the "then haul them off to jail" step, you've failed. The two basic models of digital cash clearing have been - embed some identity model into the coins, which is revealed by double-spending, and then do something grouchy if you detect it - always honor the first use of a coin and reject future uses, and let the users fight over failed spending attempts. Depending on what you're trying to accomplish with your digital cash, one mode or the other may be useful. Hettinga would probably contend that the first-use model is much cheaper and more efficient, because it avoids the costs of creating and tracking user identities and tieing it to the world in book-entry fashion. If you're trying to use it for something like remailer tokens rather than real cash, that's certainly the case. On the other hand, the identity-embedding models have tended to be more prominent around Cypherpunks, partly because it has its own technically interesting characteristics, and may have problems that it can solve, but also because it prevents some kinds of fraud, such as making it harder for the bank to claim that a coin has already been spent.
(You can also use the same protocol for online checking, so the recipient has the choice of convenience of using peer-to-peer without going via the bank, or the choice to deposit now and get a fresh coin and be sure there won't be any dispute resolution later.)
Offline is much much harder than online.
Patrick wrote:
Well hell, that wasn't so hard.
Sure it was :-) But it's stuff that's been done now, mathematically. Doing it in practice is still hard, which is why almost nobody's done it in practice, and not for very long. Back when this stuff was new and exciting, there was an attempt to form an Austin Cypherpunks Credit Union, and the proprietors found that not only was doing business with David Chaum a difficult unsolved problem (:-), but in fact finding a business model that would let them make money at it was even harder.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:10 PM -0700 4/24/03, Bill Stewart wrote:
Hettinga would probably contend that the first-use model is much cheaper and more efficient, because it avoids the costs of creating and tracking user identities and tieing it to the world in book-entry fashion.
Actually, I prefer a first-use model *with* something like "identity" checking, kind of a belt-and-braces approach. When someone pops up with a double-spent coin, the mint can say "nope, can't honor it, here's the key that double spent it, though; have fun." OTOH, as a financial intermediary, the underwriter would make absolutely *no* effort to keep track of who had what key, at all. The whole process would rather tartly teach people *never* to take offline transactions, and, more to the point, reject transactions from a given double-spending key *if* that key ever comes around again. But, as I've noted before, all this haggling about amateur protocol design is, frankly, a waste of time. Folks (meaning people who write code) have *had* the protocols, for years now, at least three protocols that most people would trust to use for unity-tested transactions above, say, a quarter: Chaum, Brands, and Wagner, and, on a prima facie basis, Wagner's unencumbered by patent, which makes it first in line for experimental use. And, as you noted, Bill, the trick is the business model, and that's been figured out for at least 4 or 5 years as well :-). That is, plug them into an accepted book-entry reserve-value/ transaction execution - - -clearing -settlement system, like one of the digital gold currency systems, or PayPal, or ATM/ACH, or a central securities depository system on the back end, front-end a mint to the web and a decent internet-level transaction-exchange protocol, and see what happens. Folks are fairly close to being able to do that now, from the way *all* of those book-entry transaction systems have grown themselves into the net over the past 5 years or so, *including* the central securities depositories and clearinghouses. Even PayPal has loosened up their end-user agreement within the last two months or so for what looks like gold-currency exchange providers. Certainly John Muller, their Corporate Counsel, is completely familiar with those internet bearer transaction protocols and what they can do, so when someone walks in the door there with something that is at least as secure as their system is, it'll probably get a polite hearing. You can certainly bet their management, much less their tech people, knows about the financial cryptography and network security issues. As far as the digital gold currencies themselves are concerned, people can pretty much do something now, with not too much of a push, because at least two gold currency operators that I know of, GoldMoney and e-Gold, have both actively encouraged people's efforts to make that happen. As Patrick McCuller (the other Patrick :-)) chugs along with the code for Lucrative, it won't take too much to plug a Wagner mint into the shopping-cart interface of an existing value-exchange system like GoldMoney or e-Gold, which Patrick has already worked on doing, and hang out one's underwriting shingle to see what happens. BTW, kudos to Lucky for volunteering a box for Patrick to test Lucrative on so this can happen faster. It's going to get interesting, folks, and pretty soon, I think. It'll be nice to see if the economics of all of this is going to actually work, finally. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqjWsMPxH8jf3ohaEQJdngCg5bhcubb4ljjgJW9cRrCW0LR8bEkAnRwb bBFdyOhO3Q7Q5aDfMK5Qkke4 =kZMS -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thursday, April 24, 2003, at 10:10 PM, Bill Stewart wrote:
Depending on what you're trying to accomplish with your digital cash, one mode or the other may be useful. Hettinga would probably contend that the first-use model is much cheaper and more efficient, because it avoids the costs of creating and tracking user identities and tieing it to the world in book-entry fashion. If you're trying to use it for something like remailer tokens rather than real cash, that's certainly the case.
On the other hand, the identity-embedding models have tended to be more prominent around Cypherpunks, partly because it has its own technically interesting characteristics, and may have problems that it can solve, but also because it prevents some kinds of fraud, such as making it harder for the bank to claim that a coin has already been spent.
I have a _completely_ different impression of which model has been more prominent around Cypherpunks. I agree that Chaum and Brands have had more regime-friendly schemes, heavily involving identity revealing under some circumstances, but I would hardly say that they are either prominent Cypherpunks or that their approaches are prominent _around_ Cypherpunks. The earliest Chaum system, circa 1985-89, sought to preserve full 2-way untraceability via online clearing. Later Chaum systems--and Brands systems at all times, as I recall--made various compromises in what I think were ill-fated attempts to be more palatable to the various dictators in the world. I also disagree that a model where identity is embedded in digital money has more technically interesting characteristics than a pure, first-class system has. More cruft and more baroqueness, yes, as all such systems somehow requiring identity or "is-a-person" credentials, no matter how well disguised, have more cruft and baroqueness. A clean system requiring no identity would be much more interesting to see today. It's how bearer bonds and "markers" and various other forms of money (IOUs, chop marks, warehouse receipts, "pay to the holder of" forms) work. Systems based on identity, even when the identity is only findable via alleged double spending, are more like certain kinds of checks. This is also cleaner in that the security for not letting the digital money leak out (be copied) belongs where it should belong: with the holder. If the would-be double spender was merely careless with his digital money, by allowing the critical numbers to be seen by others, then he is justly punished by having another "get to the train station locker" before he did. If he _himself_ attempts to double spend...well, this is impossible in a system where the first presenter (first to the train locker) gets the money (contents of the locker). Online clearing also offers the best way to "ping" digital cash systems. (Which is the protection against a bank attempting with any regularity to make claims that money was already withdrawn, that a digital money token was already "spent.") From my 1994 Cyphernomicon (accessible via searching with Google, of course): "12.6.5. Double spending - Some approaches involve constantly-growing-in-size coins at each transfer, so who spent the money first can be deduced (or variants of this). And N. Ferguson developed a system allowing up to N expenditures of the same coin, where N is a parameter. [Howard Gayle reminded me of this, 1994-08-29] - "Why does everyone think that the law must immediately be invoked when double spending is detected?....Double spending is an informational property of digital cash systems. Need we find malicious intent in a formal property? The obvious moralism about the law and double spenders is inappropriate. It evokes images of revenge and retribution, which are stupid, not to mention of negative economic value." [Eric Hughes, 1994-08-27] (This also relates to Eric's good point that we too often frame crypto issue in terms of loaded terms like "cheating," "spoofing," and "enemies," when more neutral terms would carry less meaning-obscuring baggage and would not give our "enemies" (:-}) the ammunition to pass laws based on such terms.) 12.6.6. Issues + Chaum's double-spending detection systems - Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double- spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions. + Multi-spending vs. on-line clearing - I favor on-line clearing. Simply put: the first spending is the only spending. The guy who gets to the train locker where the cash is stored is the guy who gets it. This ensure that the burden of maintaining the secret is on the secret holder. --Tim May "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." -- Nietzsche
On Fri, Apr 25, 2003 at 03:32:42PM -0700, Tim May wrote:
I have a _completely_ different impression of which model has been more prominent around Cypherpunks.
Most people I've noticed prefer to avoid the "and then he goes to jail" step because it invites regulation and government involvement, is expensive and unappealing. It also involves a identifying registration step to participate which is a barrier to entry.
I agree that Chaum and Brands have had more regime-friendly schemes, heavily involving identity revealing under some circumstances, but I would hardly say that they are either prominent Cypherpunks or that their approaches are prominent _around_ Cypherpunks. The earliest Chaum system, circa 1985-89, sought to preserve full 2-way untraceability via online clearing. Later Chaum systems--and Brands systems at all times, as I recall--made various compromises in what I think were ill-fated attempts to be more palatable to the various dictators in the world.
I think the controversy surrounding political friendliness was centered on properties which are not intrinsic but apparently selected by implementors or proponents: - there are five schemes we can look at: - chaum online (CON), chaum/ferguson offline (CFOFF), brands online (BON), brands offline (BOFF), brands p2p offline (BP2P), and wagner online (WON) - offline means payees can receive funds without connecting to the bank immediately to check validity; their remaining assurance of not accepting double-spent coins is that if a coin they receive is double spent the bank will learn who is responsible; all offline schemes also have an online deposit protocol for when the money is paid into the bank. - in fact offline coins generally can not be respent without exchanging for a fresh coin at the bank, so the offline function is perhaps better described as "delayed deposit". - for why this is the case consider bank -> U1 -> U2 -> U3 -> bank with 3 payer/payees U1, U2, U3; bank->U1 is withdrawal, U3-> bank is deposit, U1->U2 is pay, but U2->U3 isn't safe and here's why: - U2 can't convince U3 that he knows the private key for the coin because U2 does not have it to give him (U3 needs that proof to know that U2s identity is in the coin and will be revealed to the bank in case of double spending) - if U1 did give U2 his private key, so that U2 could convince U3 to accept his coin, then U2 could double spend and U1 would get blamed, so it is not in U1's interests to give U2 the coin private key - but in the special case of Brands offline, there is a peer-to-peer offline (which I called BP2P) which is a respendable offline option which allows safe offline peer-to-peer transfers. (The trick is in fact to cryptographically bind peer2peer coins (which grow at each exchange) to 0-value coins with the p2p recipient's identity in them. This trick only works with Brands offline I think, because CFOFF doesn't have a private key to bind with). - all of the systems provide unconditional payer anonymity (CON, COFF, BON, BOFF, BP2P, WON) And collusion proof robust payee and payer anonymity is inherently possible with all the systems by using accountless operation - this works generically on all systems. Basically the bank provides an interface to allow deposit of coins and getting back fresh blind coins. In fact for this Brands has an extra protocol option to allow this to be done in a single operation (so-called re-freshed coin -- same attributes, new blinding factors). This is not just an efficiency win, it has important privacy value: with this protocol the bank does not learn the coin attributes. In particular this means the bank would not learn the amount of the transaction, as one of the attributes will be the transaction value (ie it can not distinguish 1c from $1000). This I'd argue makes the Brands protocol much more pragmatically secure against flow analysis. (With Chaum the bank has a separate public key per coin denomination, and could to some extent statistically trace groups of coin denominations). Chosing not to offer accountless operation is a policy decision by implementors and proponents (the usual argument is to avoid the "blackmail attack" -- ie so an unwilling payer extorted can later collude with the bank to identify the extorter). However the side-effect (which is bad) is to make sting operations possible against anonymous sellers who are politicaly unpopular. As Tim has articulated before there are lots of good reasons a seller should be able to be robustly anonymous. Then are two approaches to extracting payee anonymity even if the bank makes the political decision to not support accountless operation which due to the math work as follows: 1. money changers - this works generically on all schemes -- basically an entity launders the money handing out fresh coins for used coins, optionally depositing the coins at the bank before handing out fresh coins. Typically it is supposed that the money changer would charge a commission. You do not have to trust the money changer with your privacy because you chose your own blinding factors. 2. payer cooperation -- this also works (to varying extents) with all schemes. - one approach to getting payee privacy is if the payer cooperates with the payee in an online fashion so that only the payee knows the blinding factors (essentially the payee acts as the withdrawer also, and the payer acts as a bit pipe). This protects the payee as the payer no longer has information allowing him to collude with the bank - the other side of adding payee privacy with this approach is presumably the payer would also like to retain his privacy - with Chaum's online protocol double blinding works because of the math, so the payer and payee can both be private without needing to trust the other party not to collude with the bank - with the other schemes the double blinding trick does not work which creates a privacy risk for the payer -- the payee can collude with the bank and identify the payer -- this essentially means that only one of the payer or payee can be robustly private at a time (if the bank refuses to offer accounless operation) So in summary the best and simplest way to generically get robust payer and payee privacy is accountless operation. If bank chooses to not offer this option, then Chaum online protocol has the best workaround (retaining payer privacy); however even it is quite inconvenient requiring both parties to be simultaneously online. This requires non-standard software, and interferes with usage pattern -- many normal uses may not require the online aspect -- eg email your payment. Forced to be online also practically reduces the privacy of both payer and payee against observers as interactive connections tend to offer less robust privacy. The money changer approach works also, but the bank may be able to recognize money changers by their high turn over and cancel their accounts, which you'd have to presume they would do if they intentionally did not offer accounless operation. Not satisfying in that there are no equi-functional work-arounds to the bank not offering accountless operation.
I also disagree that a model where identity is embedded in digital money has more technically interesting characteristics than a pure, first-class system has. More cruft and more baroqueness, yes, as all such systems somehow requiring identity or "is-a-person" credentials, no matter how well disguised, have more cruft and baroqueness.
The protocols which offer the offline option where identity is revealed to bank if you double spend model do have more complex math. However you do get other extra features (in the case of Brands) such as single operation coin-refresh which has significant privacy value, and offer extra attributes which are useful for digital bearer bonds to convey information, and better efficiency, and you don't have to use the offline or p2p offline options -- they are just options. So I'd argue that Brands is just a more flexible, private and efficient system. Granted actually using the identity embedding offline option has problems -- but the lesson there is just don't use that option. Re. the side discussion about whether it's fair to call these tokens coins as the value lies in the double spend database rather than the coin, I had the same discussion with Bob some time ago, and I concur. I'd argue the p2p offline Brands option is more "coin" like in that you (personally) can spend the coin without relying on the double-spend database (providing the payee doesn't do an online deposit before accepting your payment).
A clean system requiring no identity would be much more interesting to see today. It's how bearer bonds and "markers" and various other forms of money (IOUs, chop marks, warehouse receipts, "pay to the holder of" forms) work. Systems based on identity, even when the identity is only findable via alleged double spending, are more like certain kinds of checks.
Another bad aspect of identity is that it afects usability -- everyone has to be a registered and identified user at the bank to participate, even if they allow accountless operation just to meet the offline double-spending system. This is bad for functionality as you'd like to be able to fully participate without ever registering with or identifying yourself to the bank. I suppose the argument for the offline p2p systems and why people find them tempting is that aside from the identity registration issue, it works much better with intermittently connected devices like PDAs etc, which may not at all times have TCP/IP connectivity. But if you were using offline p2p I'd think you'd only want to accept low value payments, or have a good reason to want the added privacy of high latency deposit to the extent that you'd be willing to accept the risk, and you'd think the bank would not want to accept liability unless they had really good identity verification if the coins were going to circulate for weeks before mass double spending might be noticed. (Though the higher the double-spending multiple, the sooner it will be noticed as on average someone will deposit two of them sooner.) The problem for the bank would be people who either managed to fake the identity system, or the odd nutter who comits identity suicide for a brief burst of unlimited credit -- such people could do a lot of damage. Adam
On Friday, April 25, 2003, at 06:50 PM, Adam Back wrote:
On Fri, Apr 25, 2003 at 03:32:42PM -0700, Tim May wrote:
I have a _completely_ different impression of which model has been more prominent around Cypherpunks.
Most people I've noticed prefer to avoid the "and then he goes to jail" step because it invites regulation and government involvement, is expensive and unappealing. It also involves a identifying registration step to participate which is a barrier to entry.
For now, I only want to say something about this. Not _exactly_ about this, but about the desire some players have to do certain things. These players being: -- some implementors -- and ESPECIALLY some start-up companies working to deploy systems (I don't necessarily mean ZK, but if the shoe fits....) -- and EVEN MORE ESPECIALLY most banks and financial institutions connected to these efforts And here's what they want to do: -- make money (a noble goal, but sometimes not realizable directly with an idea) -- avoid prosecution under the Freedom from Traitors Act, the Anti-Money Laundering Act, RICO, etc. I think it may just not be possible for some bright programmer to develop a solid digital money (henceforth, DM) system and deploy it while still making money, avoiding some kind of prosecution or lawsuit (civil lawsuits for many different reasons). A solid DM system, which Adam more or less included in his taxonomy of DM proposals, is a substantial threat to many special interests, to many governments, to various crime families (Corleone, Bush families), and so on. We've discussed the implications so many times it hardly bears repeating for me to even start on a laundry list. In many ways, the situation is a bit analogous to the dawn of printing, or to the dawn of radio. Entrenched interests affected, societal changes triggered. And while we don't have the Church to worry about today, we have millions of lawyers and regulators, ready to pounce on anything that has not been done before, ready to file lawsuits and RICO prosecutions at anything that smacks of tax evasion, money laundering, illegal financial support for outlawed religions, child porn, and on and on. Again, I won't compile a laundry list. If one thinks of "acceptable use policies," or Ebay's neverending dance with prosecutors and investigators over things bought and sold on their system, or Napster, the nightmare of having several floors full of lawyers to deal with these suits and prosecutions must be daunting to any established business thinking about providing untraceable DM. (Real money, real cash, would never get approval were it being introduced today, just as aspirin would never get FDA approval...perhaps a slight exaggeration, but the basic point is valid.) OK, where is this going? To cut to the chase: * Real DM will likely be introduced in a guerilla fashion, much as Pr0duct Cypher anonymously released Magic Money a decade ago. To this day, the identity of PC is unknown (though some folks think it must be a person with the initials _ _ ...naw, I'll leave the guessing off of the archives here!). * Releasing a DM system anonymously means no credit for the developer, except whatever satisfaction he gains from the work, from seeing the foundations shaken, and perhaps from a small group of friends who suspect it was his work. And he may be able to eventually prove authorship, or carefully set the release up so that he escapes prosecution. (Recall that PRZ was hounded and almost indicted for export of PGP when quite clearly he was not involved in the export, when that person named by Jim Warren (with initials _ _ ) was the one who apparently was a key player in the export. Consider the various RICO and Terrorism implications of a DM system which makes tax evasion, purchase of child porn, etc. suddenly very possible.) * In my view, not necessarily the view of everyone in the DM community, the Big Win for solid DM is in illegal markets, e.g., buying and selling child porn, bestiality, snuff images, etc., and in untaxed betting, buying and selling corporate information, and all the things which untraceability of a very strong form is needed for. Again, this laundry list of applications has been around for a long time. (I was invited to address a group in Redwood CIty at the home of Phil Salin in the summer of 1988, and outlined BlackNet, escrow accounts, contract killing markets, data havens, etc. The stuff mentioned in my Crypto Anarchist Manifesto, issued that summer.) All well known, and very controversial, applications. Applications the Feds will expend great amounts of money to try to stop. But it is this kind of an application that someone will be motivated to set up an untraceable DM account for...casual users will not even bother with PGP, let alone DM. * These applications are different from the "low value - low transaction cost" section of the scatter plot of "value of the information being hidden vs. cost to hide it" graph. At the low end, what I have sometimes called the "millicent ghetto," we have anonymous payments for subway travel, where the value of untraceability is fairly low and where the costs of getting it must then of course be proportionately low. This is the area where work on PDAs and smartcards touches on DM. Not very Cypherpunkly interesting, in my view. Higher on the value-cost graph might be remailer uses. Or buying Web pages. (Where one is willing to pay a few pennies per article to ensure that Big Brother can't compile dossiers.) And of course far to the right on the value axis and up on the cost axis are the uses where the cost of getting caught buying child porn, for example, is a multi-year prison sentence. Those in pedophile and similar trading rings are likely to be willing to pay a lot for protection. (Note that encryption, which they often use, is only one part of the total solution: their VISA bills and money orders are usually where they get caught. An untraceable DM system is needed. And, as we have discussed many times, much more than Chaum's "buyer is untraceable" is needed, as the FBI can set up stings to find the _sellers_. (For those squeamish with my use of child porn as an example should construct their own examples. ONe wag refers to sellers of images of "Women Without Veils" as a Western-friendly example. I like to cite selling birth control information: illegal in most Islamic countries. A DM system for such uses must be both buyer- and seller-untraceable. And probably bank-untraceable, though that's for another discussion.) * Anyone releasing such a strong DM system should be targeting the high end applications, where the needs for untraceability are very high and the willingess to pay the costs (in training, in network resources) is also high. * In my view, most who have looked to enter the DM market (such as Digicash, Mark Twain Bank, etc.) have shied-away from precisely the areas where untraceability meets a real market need. Most people don't care much about untraceability of tiny transactions (examples abound--even in my own case, I use my bank cards for nearly any purchase that is not small change). * But to release a product which meets these needs is to invite real trouble! (I met with two of the founders of Zero Knowledge entering the "untraceable mail" business several years ago. I outlined cases including users threatening the PM of Canada and of extortionists threatening to blow up a plane. And child porn. I argued that a company with a readily identifiable nexus of operation in a major city could not survive such uses...the archives contain a discussion of what we talked about.) * Note that "acceptable use policies" and "account cancellation" don't work for untraceable mail systems (except maybe after the fact, where a nym can be cancelled...not a huge obstacle when nym reputations are transferrable and where nyms are purchasable for $10 each per year, or somesuch...note that I'm not saying I liked the account orientation of Freedom Net, but even with their system the threat of account cancellation for violations of acceptable use policy was not terribly useful in this context). A digital money system where the DM may be "cancelled" will not fly. For various reasons. (Imagine your bank telling you that if they think you are violating their use policies they may simply seize your money and you'll be out of luck.) OK, again, where is this going? * It may be that pioneers in this area just won't be able to make any money. This is not new. Many discoveries did not enrich the discoverer. Sometimes they were recognized in their lifetimes, sometimes not. James Watt did not hold back on revealing his steam engine until he was assured that he would dominate the market. (Actually, James Burke used to do a lot of episodes on guys like Watt. I've forgotten whether or not Watt ever made a lot of money off of his invention...but I do know that the major steamship and machinery companies of the 1800s were not named after James Watt.) I believe David Chaum probably should have skipped the idea of having a company of his own and developing products which used his blinding techniques. He was already wealthy (and self-financed much of Digicash, as I understand the story, losing a lot of his own money in the process) so he could simply have licensed the patents and watched the fireworks. For those who really want to be the next Bill Gates, look elsewhere. There may be some bucks to be made, but with many problems. Even with some as relatively straightforward as PK crypto, it was touch and go for many years with RSA Security (according to my talks with Bidzos, and discussed in Levy's book "Crypto"), and it was fortuitous that a) software patents had just gotten rolling in time for them to capitalize on the confusion, and b) the rise of the Web in the mid-90s and the dot com boom happened in time for them to get rolling. (I don't follow their finances at all, so I don't know how well their business is doing.) Maybe the dot com crash is the best thing to have happened to our little community. Several years ago it seemed that everyone at a CP meeting was talking about the latest start-up company, or joining one, or starting one themselves. Now, things have come back to reality. And the reality is that someone or some group will combine enough protocols and algorithms, whether they are patented or licensed or not, and release a working DM system. Perhaps tied to an offshore bank, perhaps to something like PayPal, for redemption. And if they are smart, they'll stay anonymous. They for sure will not be a U.S.-based company, not if they are doing the things we want to see done. --Tim May
On Fri, Apr 25, 2003 at 10:56:02PM -0700, Tim May wrote: | * In my view, not necessarily the view of everyone in the DM community, | the Big Win for solid DM is in illegal markets, e.g., buying and | selling child porn, bestiality, snuff images, etc., and in untaxed | betting, buying and selling corporate information, and all the things | which untraceability of a very strong form is needed for. Again, this The online gaming industry and the adult entertainment industry both have very large problems with payment repudiation. Both understand that their customers have a desire for privacy. These industries will provide the bulk of your business for a while. So there are horsemen using it? Horsemen use cars, as we've pointed out for a long time. I think it's possible to solve the 4-player ecash problem using porn and gambling as your first merchants. Offer a substantial discount to players using ecash (which they make up in loss reduction). Do it in London, where they're not so moralistic and taxing as in the US, and where there's a single regulator. I've said it before, but I'll say it again: Law enforcement was not the large problem that you predicted for ZKS. The large problem was that the problem we were solving was that most people don't understand the privacy threat from internet monitoring. They don't understand how it works, they don't understand what can be gleaned, and so they're not really all that concerned. Related to this, what people think they know about internet privacy mostly revolves around cookies, credit cards, and identity theft, and thus Norton's personal firewall with a cookie manager sells well. However, I think that its possible to create a system that uses the real-time settlement to bring merchants suffering from fraud on board, uses privacy to bring the users on board, and uses fees to bring the banks on board. If only the patents were all expired.. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
On Saturday, April 26, 2003, at 06:41 AM, Adam Shostack wrote:
I've said it before, but I'll say it again: Law enforcement was not the large problem that you predicted for ZKS. The large problem was that the problem we were solving was that most people don't understand the privacy threat from internet monitoring. They don't understand how it works, they don't understand what can be gleaned, and so they're not really all that concerned. Related to this, what people think they know about internet privacy mostly revolves around cookies, credit cards, and identity theft, and thus Norton's personal firewall with a cookie manager sells well.
I don't believe ZKS ended up targeting the remailer niche ("space") we are interested in. In the years that Freedom nyms were being sold, how many were used to post to this list? How many were used to post to Usenet? A set nearly of measure zero. I assume _some customers_ were using Freedom...I just don't recall ever receiving a message from any of them, or seeing any of them on the lists and groups I frequent. So the uses I expected would expose the owners of Freedom to investigation for (just as operators of remailers have been exposed to being shut down for) never materialized. We will never know whether ZKS would have faced pressures when it was used for song-swapping or extortion threats or child porn, as the customer base never got large enough. (I still check in on www.zks.net occasionally to see what's going on. Stuff about firewalls and viruses.) --Tim May
On Sat, Apr 26, 2003 at 10:06:48AM -0700, Tim May wrote:
I don't believe ZKS ended up targeting the remailer niche ("space") we are interested in. In the years that Freedom nyms were being sold, how many were used to post to this list? How many were used to post to Usenet? A set nearly of measure zero.
I think the first mail system at ZKS was relatively unreliable, and complex for users to understand and use (setting up a nym as with nymserver/type I involved reply blocks, waiting for confirmation etc). It was reply block based, but reimplemented from scratch, not based on cyphperpunk type I code. Some of the issues were implications of the design (as with type I based reply blocks, some mail does not arrive; also reply blocks always seemed fragile to me), others were probably implementation issues. The 2nd gen mail system we built at ZKS (my design) had a different set of tradeoffs. I found a copy of the "Freedom 2.0 Mail System" white paper here: http://osiris.978.org/~brianr/crypto-research/anon/www.freedom.net/products/... It was definately more reliable (the main business reason for doing it). Also there was no reply block pointing back at your real identity which is the main weakness of the reply-block design: it is a subpeona risk. Instead it was based on a pop server which you optionally connect to via the anonymous freedom network to achieve sender anonymity (or deliver via mixmaster if you prefer, it's accepts regular mail to interface with non-anonymous users), and via the freedom network again to achieve recipient pseudonymity. So these interactive connections are immediately forward-secret, and therefore you have much better protection against subpeona attack. However they are more vulnerable to all-powerful observer attacks who could probably figure out which pseudonym was which by sending lots of unique sized email and then watching traffic patterns flow through the network. So as you might expect different systems can be built which optimize against different types of threat. I'd argue the 2nd gen mail system would be much better against subpoena attack, but weaker against all-powerful passive adversaries. The typical thing an end user with strong desire for privacy would be concerned about (frivolous lawsuits related to online discussion groups, defamatio, privacy against law enforcement sting operations, etc) would be better protected; where as national security issues where you might imagine NSA or such could coordinate and implement the all-powerful passive adversary are less well protected against.
I assume _some customers_ were using Freedom...I just don't recall ever receiving a message from any of them, or seeing any of them on the lists and groups I frequent.
I think there were more active users of the web browsing side of things than the pseudonymous mail for the reasons above. The version might have been better given time, but I think freedom network (and mail) was discontinued relatively soon after it's deployment.
(I still check in on www.zks.net occasionally to see what's going on. Stuff about firewalls and viruses.)
Yes. This is why I quit to do other stuff -- limited crypto stuff left, and no distributed trust anonymity or privacy left. ZKS still does have one anonymous networking type sytem called websecure which they are actively selling and have subscribers of. It's somewhat similar to anonymizer.com in that it is one hop only anonymous traffic for web browsing only. The differences (which make it probably more secure I'd argue) are that it doesn't rely on html re-writing which is a risky strategy to provide good assurance (periodically somone finds some html extension which anonymizer.com style html rewriting misses, until they fix it; or fuzzy parsing rules in browsers which allow you to slip URLs past the re-writer in a way that some browsers will fix up, but the re-writer doesn't recognize as a URL). Unfortunately the websecure approach is also Internet Explorer specific, relying on a browser helper object to hook in an SSL tunnel to the proxy (run by ZKS). It's described here: http://www.freedom.net/products/websecure/index.html the fact that it's a browser helper object doesn't hurt the appearance -- it doesn't really look like a download, the installation is quite rapid and seamless. (The rest as Tim says is a suite with options of a Personal Firewall, Anti-Virus and Parental Control.) The suite products are primarily sold (actually "rented" as a service for $x/month with profit share) via ISPs, preinstalled on hardware manufactureres machines etc. (What you get for your ongoing subscription is virus definition updates, firewall rule updates to cope with new applications, software updates, and the parental control involves ongoing use of a server). As you can see on the press release page they're quite successful at signing up ISPs onto this model: http://www.zeroknowledge.com/media/pressrel.asp with a fairly steady stream of new and fairly major ISPs. So, successful, but not hard-core cryptographically assured, distributed trust/zero-trust, privacy related. Adam
I wrote about freedom 2.0 mail system:
So these interactive connections are immediately forward-secret, and therefore you have much better protection against subpeona attack. However they are more vulnerable to all-powerful observer attacks who could probably figure out which pseudonym was which by sending lots of unique sized email and then watching traffic patterns flow through the network.
So a couple of other comments: - Ulf Moeller, Anton Stiglic and I published our thoughts about how someone could go about doing the passive adversary traffic analysis attacks on interactive systems such as the freedom anonymous network: Apr 01 - "Traffic Analysis Attacks and Trade-Offs in Anonymity Providing systems", Information Hiding 2001, Adam Back, Ulf Moeller and Anton Stiglic http://www.cypherspace.org/adam/pubs/traffic.pdf - and in fact the version 1 freedom mail system had other issues: the mail was not split up into fixed sized chunks (as it is with mixmaster), so it suffered the same vulnerabilities that type I based nymservers do: it was in addition equally vunlerable to traffic analysis. I'd take this version 1 freedom mail vulnerability to indiate that in essentially all respects version 2 was more secure than version 1; though some of the version 1 design-issues could have been fixed in similar ways that are proposed in the mixminion project. The mixminion project project (aka Type III remailer) design and implementation attempts to avoid these issues by merging reply block functionality into a mixmaster like fixed sized message mix net. Mixminion actually uses Single Use Reply Blocks (SURBs) to in addition reduce vulnerability to flooding attacks (where someone just sends lots of messages to see where they arrive as they flow down the reply block). The recipient I think is expected to send a few SURBs to nyms he communicates with, and to send SURBs to the nymserver to pick up mail from regular internet mail senders (who are not using the mixminion client). If I understand it is also planned that the mixminion / Type III protocol will be implemented within mixmaster as mixmaster version 4. (The current alpha mixminion code is a separate code base, written in python scripting language). The other good thing about mixminion / type III protocol is that finally type I remailers with their traffic analysis issues could be phased out. (Their remaining reason for existance was to support reply-block functionality for nymservers). Adam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lex vincula justitiae -- Roman Aphorism "Camels, fleas, and princes exist everywhere." -- Persian proverb "Some people say that money can't buy happiness. I've found that it usually does, and, when it doesn't, it buys the most interesting substitutes." -- Rhett Butler, 'Gone with the Wind' "Reality is not optional." -- Thomas Sowell Truth and Justice, Grapeshot and JDAMs, Money and Happiness Geodesic Capital Robert Hettinga Boston, 4/26/03 I tend to think in terms of finance and economics, and not law and politics. Well, not legislation or regulation, anyway; private agreement, private law, is actually necessary for civilization -- go read the most of the shattered cuneiform on the floor of the Baghdad Museum if you need a hint. Even though most people think you can't *do* either finance and economics without legislation and force monopoly, cypherpunks in particular understand that this not necessarily the case in a world of ubiquitous networks and strong financial cryptography. However, I'm not one to believe in grand conspiracies against Truth and Justice, either. Even if violent repression is used to preserve the status quo, the status quo is not immune to physical environmental change, and, ultimately, the economics of a given physical change is what makes most of the human world change. You have to *pay* the guys with guns, after all, or they won't kill people for you. So, I think that, financial "corn-laws" or no, internet financial cryptography must significantly change *finance*, that is, people have to *make* money, and lots of it, or it's just "art", for lack of a better word. It's not even politics, because it has no effect on reality. Like art, it just becomes an entertaining waste of time. Otherwise, one might as well plant fake bombs in a courthouse, or dump mercaptan on the doorstep of the IRS, or hoover out somebody's property records from Lexis and post it on a mail list. Or, for that matter, decide that you're only going to use internet bearer transaction technology to finance dope-dealers, or child-pornographers, or terrorists, or father-rapers, or any other shop-worn horseman the infocalypse is selling this week. There's no serious money in it, for starters, and, if you make *everybody* money, in theory at least, your market's bigger. :-). That's why I say that internet bearer protocols should be three orders of magnitude cheaper to use than book-entry protocols, even internet book-entry clearinghouses like PayPal -- or book-entry financial cryptography protocols like Peppercoin -- or nothing will happen, no matter what one's political intent is. In fact, I started IBUC because I thought that those three orders of magnitude were possible at a time when nobody else did, and I have the arrows in my back -- and the creditors sitting back there as well :-) -- to prove it. When I started the company, I thought that there was enough capital sloshing around out there to give financial progress a shove, and make lots of money by being there first, because in three or five years the barriers to entry would be completely down, and any cypherpunk worth his code could underwrite bearer instruments on the net. It turns out that there wasn't much capital out there, for internet payments, much less for internet bearer transactions. All of the money we raised was just before the bubble popped, from family, friends and friends of friends, and, just before I pretty much quit trying to raise money at all, Declan McCullagh had written an article on us that reminded me for all the world of that feral kid in Mad Max, walking across a burned-over post-apocalypse throwing that steel boomerang at fat guys with a leather fetish. Which, in hindsight, was prescient by about 4 months, since it was written in the middle of June 2001. Nonetheless, we managed to get some financial operations consulting work to keep the company afloat to keep thinking about it, though that dried up, too, just before, and certainly after September 11th. So, four (founded, by coincidence, I swear, on April 15, 1999) of those three to five years have come and gone, the technology and financial networks have just about grown into each other naturally, and, at the moment, we're trying to be at least that first cypherpunk, hopefully one of many. We'll see what happens. Which brings me to happiness. People do what is in their own interest at all times. Altruism is just another form of selfishness, for instance, because people's lives are finite and one's reputation can outlast one's life. Even if one uses a pseudonym, one's life, and death, may be more pleasurable because of some altruistic sacrifice or another, and you gotta die sooner or later anyway. As Ayn Rand herself said once, life may be too painful if someone you love isn't in it, so you'd rather give your life saving theirs. On the macro level, the US is not the strongest and richest nation-state in the world because it confiscated its wealth at the point of a tank-barrel or missile-silo. It is the strongest nation-state in the world because it *bought* those tanks, and missiles, because its citizenry *earned* the money that was confiscated, by taxation, and papered over with the outright fraud of "social welfare", to build those weapons, mostly because of some external threat, and in spite of the attendant graft and budget-packing. And all of *that* was possible because the US is, to date, the freest country, and thus the freest market, in the world. It is the best place in the world for free people to maximize their happiness. So far. To the extent that it continues to be so remains to be seen. It is, frankly, orthogonal to whatever an individual's immediate *political* motivations are, violent, or otherwise, hostile to the state, or otherwise. Only outright economic results matter, and free people make much more stuff than slaves do. Or at least the right kind of stuff, as Mancur Olson demonstrated in "Power and Prosperity", his book on the political economics of the Soviet state under Stalin. Personally, I believe that, contrary to what God-Fearing Conservatives and Reasonable Libertarians think, markets themselves actually cause freedom. You may be born "owning" yourself all you want, but freedom is not given to you by God, or anyone else. *Nothing*, really, is actually given to us. Freedom is not, as most people here and elsewhere believe, a "right". It may have to be *taken* occasionally, but usually it is just bought and paid for, sometimes with the blood of altruistic people, but most often with what people earn after they feed, house, and clothe themselves and their families: profit, in other words. Again, as they always are about representing some triumph of socialism, Star Trek is wrong. The Farenghis are the good guys. Acquisition *does* matter. :-). But it's more fundamental than that. Much more than the platitude says, freedom is *earned*, usually by doing something well enough that people leave you alone about other things, or you won't do what they want for them anymore, either passively by refusing to work, or actively, by force of arms. And, even if that somebody has a gun at your head, it's still in *their* interest to leave you alone otherwise, if they want to get what they're after from you. As Mancur Olsen says, a force monopolist, like any bandit, can't kill all the people he steals from, or he'll run out of people to rob. Olson also says that the optimum theft-rate for a force-monopolist is something shy of 50% before the economy starts to fall over, by the way. Sound familiar? Contrary to popular belief, the richest force monopolists in the world, the ones who are statistically most likely to live to spend their money and give it to their children and otherwise be left in peace, are the ones who are ostensibly *hired* to operate Western free-market democracies, as kleptocratic as those governments still are. We just saw a failed example of force monopolist a few weeks ago in Iraq, in fact, and we'll be seeing more soon, I expect. Like any bad parasite -- and force monopolism *is* parasitism, and make no mistake, it's not symbiosis as statists would have you believe -- Mr. Hussein so severely weakened his "host" population, physically and economically, that it could be easily killed, or at least violently captured. Hussein was probably bombarded into fine organic mush in the bargain. The fact that Iraq's population was "violently captured" -- and, one would think, set free -- by a still socialist-riddled nominal republic with the world's largest free-market economy was no accident, however. Whatever one's Jeffersonian, or, more apparently, Jacksonian, motives are about "fighting the power" with a cryptographic "revolution" -- or any other kind of "activism", technological, political, or otherwise -- as if it were some kind of gallant Confederate cavalry charge into massed Union grapeshot, or even Rhett Butler running the blockade of Savannah, whatever, the *only* way that this stuff will happen is by making *more* money than the alternative book-entry transaction execution, clearing and settlement technologies. *Much* more money. Whether they're entrenched, or not; violently defended, or not. Then, if necessary, we can just *hire* the B52s and JDAMs to pound *their* horse-drawn field artillery troops into fine organic mush instead. The stuff's not called financial cryptography for nothing, after all. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqrmpsPxH8jf3ohaEQJ5BACeP3avfSFiYCkSa5sBHD8I/E3Qp1AAn1AN JFy2UfVi6mPagzH2CzOyf2h5 =h8k2 -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Sat, 26 Apr 2003, R. A. Hettinga wrote:
"Some people say that money can't buy happiness. I've found that it usually does, and, when it doesn't, it buys the most interesting substitutes." -- Rhett Butler, 'Gone with the Wind'
It's a movie chucklehead. And did Rhett get his happiness in the end? No. -- ____________________________________________________________________ We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, "Plan 9 from Outer Space" ravage@ssz.com jchoate@open-forge.org www.ssz.com www.open-forge.org --------------------------------------------------------------------
Frankly my dear kook, I don't give a damn (about your opinions that is). ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\ \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\ <--*-->:Instead of rewarding|monitor, or under your keyboard, you \/|\/ /|\ :their failures, we |don't email them, or put them on a web \|/ + v + :should get refunds! |site, and you must change them very often. --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Sat, 26 Apr 2003, Jim Choate wrote:
On Sat, 26 Apr 2003, R. A. Hettinga wrote:
"Some people say that money can't buy happiness. I've found that it usually does, and, when it doesn't, it buys the most interesting substitutes." -- Rhett Butler, 'Gone with the Wind'
It's a movie chucklehead. And did Rhett get his happiness in the end?
No.
R. A. Hettinga wrote:
the US is, to date, the freest country, and thus the freest market, in the world.
Do you have some hard data to back up this assertion, or are you just repeating the brainwashing we Americans are fed from at least kindergarten forward? I don't know of any serious study of economic freedom that puts the U.S. in the number one spot. Every rating I've seen for the past ten years has put the U.S. at number four or worse. I haven't seen any serious attempt to quantify overall freedom, but even there I still have my doubts that the U.S. would rank number one by any reasonable measure. Yes, the U.S. looks great on paper, with that nice Constitution and Bill of Rights; too bad all those protections have been interpreted out of existence by the Supremes. Furthermore, the U.S. is the most powerful government in the world right now, which allows them to intrude much more severely into the lives of their subjects than many nominally less-free nations with (on paper) worse laws and fewer legal protections for the rights of individuals.
On Sat, 26 Apr 2003, Kevin S. Van Horn wrote:
Do you have some hard data to back up this assertion, or are you just repeating the brainwashing we Americans are fed from at least kindergarten forward? I don't know of any serious study of economic freedom that puts the U.S. in the number one spot. Every rating I've seen for the past ten years has put the U.S. at number four or worse.
Econ Freedom of the World 2002 http://www.freetheworld.com/2002/1EFW02ch1.pdf US 3rd after HK & Singapore. Index of Econ Freedom 2003 http://cf.heritage.org/index/indexoffreedom.cfm US tied for 6th after HK, Sing, Lux, NZ, Ireland. HK & Sing have obvious general liberty probs. involving being an SR in a commie dictatorship in the case of HK and Confucian fascism (Disneyland with the Death Penalty) in the case of Sing. Lux. has address registration with the cops or the local government (I think). I don't know enough to compare overall liberty in NZ & Ire. but with Ire. in the EU now it's possible that we're #1. Shows a low standard for liberty in the world. DCF
The US is No. 1 in: 1. Percentage of population in jail. 2. Percentage of population in law enforcement. 3. Military spending. 4. Percentage of population in government. 5. Disparity between the rich and the poor. 6. Murders. 7. Crimes. 8. Number of laws. 9. Percentage of population who are lawyers. 10. Number of lawyers, judges, wardens and prison corporations. 11. Number of private cops. 12. Number of private spies. 13. Number of government spies. 14. Percentage of colleged educated out of work. 15. Number of people who have never worked a single day. 16. Number of stock market investors. 17. Number of people who have lost everything from stock cheats. 18. Number of billionaires. 19. Number of millionaires. 20. Number of female prostitutes. 21. Number of male prostitutes. 22. Number of child prostitutes. 23. Number of genital disease sufferers. 24. Number of institutionalized mental patients. 25. Number of persons in therapy. 26 Number of therapists. 27. Number religions, cults and their members. 28. Number of public relations firms. 29. Number of lobbyists. 30. Number of college professors. 31. Number of didacts. 32. Percentage of population who expect the government or somebody to take care of them from cradle to grave. 33. Percentage of population who think they are right when they say the US is the best. And many, many more, but that's not what gets spun about the bullshit leader of the free world.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin, I really do pay attention to this stuff, almost full time, and I read most of the same things that Duncan does. When you put them all together, we're close enough to the top for, heh, government work. At 7:21 PM -0400 4/26/03, Duncan Frissell wrote:
I don't know enough to compare overall liberty in NZ & Ire. but with Ire. in the EU now it's possible that we're #1. Shows a low standard for liberty in the world.
Amen. We're sort of the Microsoft of free countries right now (I'm a Mac guy, myself...) it ain't pretty, the company's grabby and turfy, but most of the feature boxes get checked off, and it's what everyone's using at work. NZ's backsliding a bit, especially since 9/11, but I bet Peter can tell us more first hand if he's around. What Duncan said about Ireland, but they're fighting the good fight, and, hell, like Adam said, London's got a TAZ or two that doesn't completely suck, but, over all, the UK's in the same shoes we are securitywise, and anal probes accordingly. Meanwhile noose tightens. Like Doug said, "and then you go to jail" still is a bad error-handler for a protocol. Write code if you've got it to write. Anyway, we all have the ultimate canary in a coal mine. If *Tim* decides it's time to go, than the US is officially in the shitter and it's time to grab the bug-out bag. In the meantime, Young, as usual, writes great word salad, this time about what a shitty country we are, but the still-warming pot is, at the moment, the coolest place on the stove; certainly not the frying pan of the continental EU, much less the fire of the Third World, most of the XSU and Le Chine inclusive. All these cooking metaphors are making me hungry. Freedom: The New White Meat. (marginally better than "It's what's for dinner"?) Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqtR68PxH8jf3ohaEQIUlwCdFyfSp0D4hSKu+NFN2RpQmzBxT3kAoKi7 ibUc/ndN81rG5tOPOAZ4B6Gy =dWZi -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Saturday, April 26, 2003, at 08:43 PM, R. A. Hettinga wrote:
Anyway, we all have the ultimate canary in a coal mine. If *Tim* decides it's time to go, than the US is officially in the shitter and it's time to grab the bug-out bag.
Personal liberty is of course not the same thing as economic or business liberty, of course. It might be that Costa Rica, for example, would be a fine place to live with low income taxes (hypothetically) even if it not a great place to headquarter a corporation in. (I picked Costa Rica because it has a tropical climate, some Dutch hackers have a place there, a well known digital money advocate relocated there, and it has no standing army. By coincidence, Intel located an assembly plant there. But not its corporate headquarters, needless to say.) Selling my house, packing up my voluminous amount of stuff (or worse, discarding it), and moving to Costa Rica or the South of France, or, Allah forbid, moving onto an oil platform or gunnery turret or whatever, is not easy to do. Furthermore, Uncle Sugar thinks he has the right to take my assets for the first 10 years I'm no longer having other countries invaded on my behalf, no longer having negro welfare mothers breeding on my behalf, and no longer getting any of the so-called benefits of advanced civilization. Those who have exited the country have found the tax man hounding them for years. Probably if I were to leave the U.S. I'd do it the old-fashioned way: buy a lavish, well-protected seaside villa in Mexico and just pay off the local cops and politicians. How I'd get my money out of the U.S. without Uncle Sugar taking 35-50% for the aforementioned country invasions and welfare breeders is an unsolved problem. (Hint: Stuffed suitcases don't work, for various reasons.) [This space reserved for insertion of usual silliness about living out of suitcase, stuffed or not, and being a "perpetual tourist," which only works if one is below a certain net worth and if one likes to travel a lot.] Meanwhile, it's easier to have a lot of guns, some perimeter alarms, various sets of "documents" to facilitate escape from Airstrip One, and to minimize stock sales so as to minimize Uncle Sugar's theft. If I leave, I expect it will be one step ahead of the Thought Police, aka Ashcroft's Army.
In the meantime, Young, as usual, writes great word salad, this time about what a shitty country we are, but the still-warming pot is, at
I still can't understand anything he writes. He's either actually a loon, as he portrays himself to be, or he thinks he's channeling James Joyce. --Tim May
At 09:18 PM 04/26/2003 -0700, Tim May wrote:
[This space reserved for insertion of usual silliness about living out of suitcase, stuffed or not, and being a "perpetual tourist," which only works if one is below a certain net worth and if one likes to travel a lot.]
There are different kinds of perpetual tourism, some of which involve less travelling than others. I have friends who are believed by the Netherlands bureaucrats to be spending their time in Belgium, and by the Belgian bureaucrats to be over in the Netherlands. I think the apartment in the Netherlands is probably different than their official when-we're-not-outside-the-country address, and that their Belgian address is a mailbox, but I could have that backwards, and at least one of their addresses is probably owned by a corporation, and their net worth is probably in Switzerland or some such location, but while their net worth is fine, I think they're probably retired or at most "consulting" rather than doing full-time work. On the other hand, one nice thing about that area is that if they _do_ need to be out of the country, it's an hour or two across an unguarded border. I don't know if it's as easy to confuse the US and Canada about which country you're living in, and while the borders are permeable, they're a lot more thoroughly audited than they used to be, so maybe you need to spend more time on the ferryboat to Vancouver instead of driving or flying commercially.
On Sun, Apr 27, 2003 at 12:05:01AM -0700, Bill Stewart wrote:
I don't know if it's as easy to confuse the US and Canada about which country you're living in, and while the borders are permeable, they're a lot more thoroughly audited than they used to be, so maybe you need to spend more time on the ferryboat to Vancouver instead of driving or flying commercially.
I've known a couple of different people who were private pilots who always said the US/CA border is non-exiestent. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
At 9:18 PM -0700 4/26/03, Tim May wrote:
I still can't understand anything he writes. He's either actually a loon, as he portrays himself to be, or he thinks he's channeling James Joyce.
Having met John Young once, I think I prefer the latter, he's certainly smart enough to do it.:-) Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
-- On 25 Apr 2003 at 22:56, Tim May wrote:
I think it may just not be possible for some bright programmer to develop a solid digital money (henceforth, DM) system and deploy it while still making money, avoiding some kind of prosecution or lawsuit (civil lawsuits for many different reasons).
[...]
* Real DM will likely be introduced in a guerilla fashion, much as Pr0duct Cypher anonymously released Magic Money a decade ago.
The mint cannot be anonymous. Needs reputation, and sizable wealth. Mint probably employs programmer, or is programmer. If the code is public domain, then there will be multiple mints, with some more willing to disregard hostile governments than others. I suggest the following introduction: Introduce for micropayment services (identity is too expensive for small payments, which is why credit cards fail below five dollars) Useful for antispam email charge, remailer user fees, file sharing networks (solving the free rider problem), pornography by the minute, and tips for videocam performers. Need some legal and profitable application to get the software fully developed, debugged, and people used to it. When people are using it for dimes, they will want to start using it for large sums, and then things get interesting. Dubai is currently the banker for people evading third world currency exchange restrictions. Once it is working in the micropayment ghetto, where credit cards are uncompetitive, there will be demand to break out of that ghetto, and where there is demand, there will be supply. Of course there have been many attempts to fill the micropayment niche, all of them miserable failures. I think this is due to the inherantly high costs of identity and revocability. If your payments are revocable, then you need identity, which costs, and you get involved in arbitration, which costs, and you cannot possibly afford to do that on a micropayment service.
* In my view, not necessarily the view of everyone in the DM community, the Big Win for solid DM is in illegal markets, e.g., buying and selling child porn, bestiality, snuff images, etc.
Child porn and bestiality are, like MP3s, a micropayment market. My hard drive keeps getting usenet child porn on it even though I try to prevent it. I download what I think is a Hellsing cartoon, and guess what? Among the many unviewed videos and images on my hard drive, there is probably enough child porn to put me away for fifty consecutive life sentences. My email spam is full of bestiality, even though I have numerous filtering rules designed to delete it. Surprisingly, I do not think I have seen any snuff spam -- which does not mean I am not getting it, it may be filtered by my anti porn spam rules. Just target file sharing, a legal market, according to the most recent judicial ruling, and some significant proportion of the files shared are going to be child porn etc. That is the users issue, not the banks.
* Anyone releasing such a strong DM system should be targeting the high end applications, where the needs for untraceability are very high and the willingess to pay the costs (in training, in network resources) is also high.
I disagree. Micropayments are legal. Useful if the same software has legal and illegal uses. Strong anonymity and consequent irrevocability has accepted legal, moral, and economic purpose in the micropayment field.
* In my view, most who have looked to enter the DM market (such as Digicash, Mark Twain Bank, etc.) have shied-away from precisely the areas where untraceability meets a real market need.
Mark Twain bank crippled their cash so they could stop pornographers from using it.
A digital money system where the DM may be "cancelled" will not fly. For various reasons. (Imagine your bank telling you that if they think you are violating their use policies they may simply seize your money and you'll be out of luck.)
Revocability. The various digital gold currencies are compelled to have an AUP and seize the money of people using their system when this AUP is violated, even though they very much do not want to, because of the very high costs involved.
* It may be that pioneers in this area just won't be able to make any money. This is not new. Many discoveries did not enrich the discoverer. Sometimes they were recognized in their lifetimes, sometimes not.
No money then crap software, crap software then lack of critical mass of users. Has to make money or no one will write software the ordinary end user will accept. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG WeQL5KAm368l/BB5FhdV3HRZwi0tcIoVVHe9WyGK 4JEJhGr9vM1Becp1QdyRiI3U4tkF26wqs75DTGtQA
On Saturday, April 26, 2003, at 09:27 PM, James A. Donald wrote:
-- On 25 Apr 2003 at 22:56, Tim May wrote:
I think it may just not be possible for some bright programmer to develop a solid digital money (henceforth, DM) system and deploy it while still making money, avoiding some kind of prosecution or lawsuit (civil lawsuits for many different reasons).
[...]
* Real DM will likely be introduced in a guerilla fashion, much as Pr0duct Cypher anonymously released Magic Money a decade ago.
The mint cannot be anonymous. Needs reputation, and sizable wealth. Mint probably employs programmer, or is programmer.
Any given mint only needs the belief by its customers that it will honor (redeem) its tokens. Such a mint can, by demonstration, be as small as a corner store offering gift certificates. Naturally, the blinded nature of tokens means that customers can "ping" such mints as often as they like. (There is the "pack up, leave town, and burn customers" scam, as there always is with a bank or mint which has not yet redeemed all of its obligations. The best fix for this is to distribute monies at many such mints. It is unlikely, though remotely possible, that all of them or even most of them will abscond at the same time. Note that reputation per se does not stop this scam from happening even with meatspace banks. It is rare, however, as most banks deduce that getting a fraction of a continuing stream of business is more advantageous than absconding.)
Child porn and bestiality are, like MP3s, a micropayment market. My hard drive keeps getting usenet child porn on it even though I try to prevent it. I download what I think is a Hellsing cartoon, and guess what? Among the many unviewed videos and images on my hard drive, there is probably enough child porn to put me away for fifty consecutive life sentences. My email spam is full of bestiality, even though I have numerous filtering rules designed to delete it. Surprisingly, I do not think I have seen any snuff spam -- which does not mean I am not getting it, it may be filtered by my anti porn spam rules.
Nonsense. What you are receiving for free is either tame stuff or is just a "free sample," for marketing purposes. Look at the reports on monies spent on actual busted child porn rings: these consumers are spending real money, not getting their stuff for free as spam. --Tim May
-- James A. Donald:
Child porn and bestiality are, like MP3s, a micropayment market. My hard drive keeps getting usenet child porn on it even though I try to prevent it.
On 26 Apr 2003 at 23:03, Tim May wrote:
Nonsense. What you are receiving for free is either tame stuff or is just a "free sample," for marketing purposes. Look at the reports on monies spent on actual busted child porn rings: these consumers are spending real money, not getting their stuff for free as spam.
Well the email spam is fairly tame -- no actual penetration of children. Such penetration is implied but not shown. Models twelve or older. The usenet spam on the other hand is fairly dramatic, in one case the child, apparent age ten or so, appeared to be penetrated in a fashion that would probably cause serious injury, (one hopes someone was creative with special effects) --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG JzhRinB9W/eaP9JgCCz/ljHRnHqLJgX/NDUOpIno 4ChvSd9I4/JRVmzPgGLTlOtoSjEBp1/kpLMRf43fv
On Sat, 26 Apr 2003, Tim May wrote:
has not yet redeemed all of its obligations. The best fix for this is to distribute monies at many such mints. It is unlikely, though
Follow this out to its logical conclusion, why have 'mints' at all? How small is too small? If there isn't a lower limit... At that point the concept of 'money' pretty much becomes a fantasy. -- ____________________________________________________________________ We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, "Plan 9 from Outer Space" ravage@ssz.com jchoate@open-forge.org www.ssz.com www.open-forge.org --------------------------------------------------------------------
At 09:27 PM 4/26/2003 -0700, James A. Donald wrote:
* Real DM will likely be introduced in a guerilla fashion, much as Pr0duct Cypher anonymously released Magic Money a decade ago.
The mint cannot be anonymous. Needs reputation, and sizable wealth. Mint probably employs programmer, or is programmer.
If the code is public domain, then there will be multiple mints, with some more willing to disregard hostile governments than others.
I'm not sure if many on this list recognize that the one such person, Patrick, replied to the "RE: Thanks for the living hell, and question about OpenSSL" thread yesterday. His Lucrative, open source DBI, is the first serious cypherpunks mint/ewallet code produced since Pr0duct Cypher's attempt many years ago. Unlike the earlier stuff, its object oriented and uses some of the most current middleware tools and techniques. Those on the list who fashion themselves as more than armchair cypherpunks would do well to visit his site http://lucrative.thirdhost.com/ , join the Lucrative mail list and/or chat with him privately.
I suggest the following introduction: Introduce for micropayment services (identity is too expensive for small payments, which is why credit cards fail below five dollars) Useful for antispam email charge, remailer user fees, file sharing networks (solving the free rider problem), pornography by the minute, and tips for videocam performers.
Patrick will soon have a configurable toolkit to create an "everyman an mint/underwriter" available soon. Lucky has offered to provide offshore from U.S. hosting for test mint.
Need some legal and profitable application to get the software fully developed, debugged, and people used to it. When people are using it for dimes, they will want to start using it for large sums, and then things get interesting. Dubai is currently the banker for people evading third world currency exchange restrictions. Once it is working in the micropayment ghetto, where credit cards are uncompetitive, there will be demand to break out of that ghetto, and where there is demand, there will be supply.
Of course there have been many attempts to fill the micropayment niche, all of them miserable failures. I think this is due to the inherantly high costs of identity and revocability. If your payments are revocable, then you need identity, which costs, and you get involved in arbitration, which costs, and you cannot possibly afford to do that on a micropayment service.
* In my view, not necessarily the view of everyone in the DM community, the Big Win for solid DM is in illegal markets, e.g., buying and selling child porn, bestiality, snuff images, etc.
Child porn and bestiality are, like MP3s, a micropayment market. My hard drive keeps getting usenet child porn on it even though I try to prevent it. I download what I think is a Hellsing cartoon, and guess what? Among the many unviewed videos and images on my hard drive, there is probably enough child porn to put me away for fifty consecutive life sentences. My email spam is full of bestiality, even though I have numerous filtering rules designed to delete it. Surprisingly, I do not think I have seen any snuff spam -- which does not mean I am not getting it, it may be filtered by my anti porn spam rules.
Just target file sharing, a legal market, according to the most recent judicial ruling, and some significant proportion of the files shared are going to be child porn etc. That is the users issue, not the banks.
* Anyone releasing such a strong DM system should be targeting the high end applications, where the needs for untraceability are very high and the willingess to pay the costs (in training, in network resources) is also high.
I disagree. Micropayments are legal. Useful if the same software has legal and illegal uses. Strong anonymity and consequent irrevocability has accepted legal, moral, and economic purpose in the micropayment field.
* In my view, most who have looked to enter the DM market (such as Digicash, Mark Twain Bank, etc.) have shied-away from precisely the areas where untraceability meets a real market need.
Mark Twain bank crippled their cash so they could stop pornographers from using it.
A digital money system where the DM may be "cancelled" will not fly. For various reasons. (Imagine your bank telling you that if they think you are violating their use policies they may simply seize your money and you'll be out of luck.)
Revocability. The various digital gold currencies are compelled to have an AUP and seize the money of people using their system when this AUP is violated, even though they very much do not want to, because of the very high costs involved.
* It may be that pioneers in this area just won't be able to make any money. This is not new. Many discoveries did not enrich the discoverer. Sometimes they were recognized in their lifetimes, sometimes not.
No money then crap software, crap software then lack of critical mass of users. Has to make money or no one will write software the ordinary end user will accept.
--digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG WeQL5KAm368l/BB5FhdV3HRZwi0tcIoVVHe9WyGK 4JEJhGr9vM1Becp1QdyRiI3U4tkF26wqs75DTGtQA
we do not win the terrorism battle / with exclusion of liberties / an un-elected president / with a brand new atrocity / make way for war time opportunists / corporate interests and their proxies / exploitation of a tragedy / to serve their ideologies / corporate military complex / continues to abuse the world / death weapons for despots / sold by the red, white and blue -- Moral Crux, Stocks and Bombs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm learning a lot this morning. Thank you Adam, for a splendid taxonomy. I'll take one more shot at this, though sooner or later you'd think I'd stop pissing in the wind. :-). At 2:50 AM +0100 4/26/03, Adam Back wrote:
Re. the side discussion about whether it's fair to call these tokens coins as the value lies in the double spend database rather than the coin, I had the same discussion with Bob some time ago, and I concur.
I'd argue the p2p offline Brands option is more "coin" like in that you (personally) can spend the coin without relying on the double-spend database (providing the payee doesn't do an online deposit before accepting your payment).
The value is controlled by the entity holding the token. The fact that you're actually calling it a "token", above, should give you a hint. Besides, even in book-entry transactions, the value of the asset is controlled by the holder of the asset, not the clearinghouse. That's the point to building transaction systems in the first place, that, and to do so without repudiation of the transaction. As I've said before, people have to think about what's happening financially, and stop conflating "off-line" with "bearer". The fact that a given protocol requires a double-spend database, but the database can *only* prevents non-repudiation, and, most important, can say *nothing* about *who* owns the asset in question *unless* they double spend, means that assets transacted using that protocol can be said to be held in bearer form, and, as such, are no different, financially, from assets transacted using a coin, or a note, or a bond, or a certificate -- or a token. Think of it as a financial Turing test. If it quacks, etc. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqqC6MPxH8jf3ohaEQIZ6QCePGcrl2+Ur9yqdatuHX52VEaIJYwAoIf5 tKxVfYhVypQLRu0ktb29ZMKq =ONzc -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vamping on Adam's post a little more... At 2:50 AM +0100 4/26/03, Adam Back wrote:
Another bad aspect of identity is that it afects usability -- everyone has to be a registered and identified user at the bank to participate, even if they allow accountless operation just to meet the offline double-spending system.
This is bad for functionality as you'd like to be able to fully participate without ever registering with or identifying yourself to the bank.
My thinking about this has been that net-originated non-identity-linked self-signed ssh-style keys work better for internet bearer transaction methods like Chaum's blind signature protocols, and that, for the sake of security at least, they shouldn't be associated with the book-entry account/PIN/Password/SSL-PKI-Key required to convert an asset from book-entry form to internet bearer form. The result is, not-coincidentally, lower risk-adjusted transaction cost in the conversion of those assets form book-entry to bearer form, and, yes, the conversion is an identified one, because of the phase change between protocol-enforced and law-enforced financial operations. However, only to convert money into a bank-account balance, for instance, does one need to be identified to the financial system, which only makes sense, because that data is required to prevent transaction repudiation there. The result of independent self-signed keys is that people without accounts in the book-entry transaction system can still safely buy and sell digital goods on the net, at least, because the system, while using keys, is inherently accountless. It also grows an economy that can only reside on the net, which is desirable for lots of reasons. These tokens have to be moved on and off the net easily, and, more important, they have to be able to be *reserved* in book-entry form at the outset anyway. Notes, coins, whatever, are redeemed for dollars, for instance, transferred to your bank through the ACH system, or gold through GoldMoney/e-Gold, or equity through a securities depository, or whatever. Otherwise, they're meaningless, financially. Financial instruments have to be fungible *and* exchangeable or they don't exist, and the only other financially useful things to exchange them into, dollars in a bank or the PayPal system, for instance, are off-the-net book-entry assets. So, in the early stages of an internet bearer economy, we're looking at notes and coins that move around the net almost exactly the way that physical notes and coins do. People withdraw cash from a book-entry account, spend it on the net using different protocols than the ones they used for withdrawal, earn it with the same protocol they spent it, and deposit cash using the same way they withdrew it. The same can be said for bearer financial transactions, except that "cash" would be replaced with some kind of depository receipt (Steve Schear and I came up with "Unsponsored Network Depository Receipt" one afternoon on the phone), and "spend" would be replaced with "trade". At some point, an entirely bearer market evolves, with bearer assets (don't say it fast...) backed up by and exchangeable into other bearer assets, just like we do with book-entry assets now. A direct-to-the-net bearer bond issue would be underwritten by some financial entity on behalf of a borrower without needing to float a book-entry issue and then creating depository receipts to be held in internet bearer form. At that point, connections to existing book-entry systems would become as vestigial as capital market book-entry system connections are to physically delivered bearer certificates these days, in the same way that whole issues of stock are currently traded in book-entry form, but technically "owned" by a single firm, with a single certificate in a vault at the Depository Trust Company, for instance. Cheers, RAH -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPqqQUcPxH8jf3ohaEQKW7QCfQgMhjNl11jc05vekRKS1/3PYn0oAn3bZ SsoEw3L3ImvAD5KxBTXPjRuY =W+n5 -----END PGP SIGNATURE----- -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
At 11:10 PM 4/24/03 -0400, Patrick Chkoreff wrote: ...
Bill Frantz wrote:
The server is in a position to keep track of the money transfer by recording the serial numbers of the old and new coins as the exchanges take place. The server is perfectly capable of making the linkage. If you don't trust the server, then you must believe that all your transfers are know.
This is good too, Bill.
All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place.
Right. You actually can get reasonable anonymity with the kind of scheme you're proposing, assuming anonymous communications and heavy use of the system. When you get a coin issued, you just keep it in limbo for awhile, and then "spend" it with yourself, iterating until your paranoia level is satisfied. If the system is heavily used for real stuff, and the uses are over an anonymous communications network, there should be no way for the bank to tell when you're transferring the coin to yourself, vs. when you're transferring it to someone else. The bank can tell that you have coin X today, and that 20 iterations ago, that was coin Y. But that isn't going to give very much information about whether the coin is still in the possession of the same person. The user effectively pays for his level of anonymity with float, because he has to maintain a random, plausible spending pattern for enough transfers to leave the bank with very little information about whether his coins are his. Less paranoid users can use coins immediately, or after one or two iterations, for less security but faster access to their money. (It seems like I've seen this kind of idea discussed on cypherpunks before....) If you play with this protocol a bit, you can do a surprising amount with it--use multiple banks to allow unlinkability with your coins that is similar in strength to the anonymity you get with remailer networks, for example. (You still end up having to trust your bank not to steal the money, but that's pretty common.) ...
That I can see. I was starting to get the impression that somehow the Chaumian techniques were attempting to address the problem of preventing double spends even when doing a long chain of spends without contact with a server. In fact they are trying to address a more modest goal than that, and double spends are still something that must be detected by contact with the server.
In general, if I know enough to spend a coin once, I know enough to spend it several times. Every solution to this I've ever heard of comes down to one of: a. Embedding an identity in the coins in a way that comes out when they're double-spent, and handling double-spending offline by getting someone arrested. b. Using some locally trusted device on the spender's machine to prevent double-spending pre-emptively, e.g., because the code on your tamper-resistant token won't permit it. c. Checking the status of the coin online when the transaction is made. (Sometimes this is done only for some random subset of the coins, for efficiency.) The techniques for doing (a) are brilliant, but they still leave you with "and then someone goes to jail" as one of your protocol steps, which makes the protocols that use them a lot less interesting. And once you're doing online clearing, there's little point to messing around with the complicated stuff you have to do to get the spender's identity embedded in pairs of double-spent coins.
-- Patrick http://fexl.com
--John Kelsey, kelsey.j@ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
At 6:12 PM -0400 4/24/03, Patrick Chkoreff wrote:
Although I have read some material on blinding etc., I do not see a need for it in my system.
Well, for me, at least, there's no point to discussing it anymore. :-). That was easy enough. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Patrick Chkoreff wrote:
On Thursday, April 24, 2003, at 05:27 PM, Adam Back wrote: If there is any problem of "linkability" in this scheme, please help me see it. The server does not log any socket events or transaction records of any kind. OK, if someone put a gun to my head and said "put in some code to log everything" then they might be able to discern some pattern like "this coin was issued to this IP address, and then three days later that coin was swapped from this other IP address." OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that.
Blinded coins prevent the server from knowing which IP address they are issued to (that is, it knows it issued _a_ coin to the address, but it doesn't know which one). When it sees an unblinded coin, yes, it knows which IP address that is presented by, but since it doesn't know who had it in the first place, that doesn't help. Of course, the unblinded coin is immediately replaced by a blinded one, thus restarting the cycle.
There is no linkability of personal identity in the system because there is no personal identity in the system, period. The server has no use for a public key from any user.
Errr - so how do you get money into the system in the first place? Note that blinded coins solve this issue, too - the server can have a list of where all the money came from in the first place, but after that it knows nothing. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
If there is any problem of "linkability" in this scheme, please help me see it. The server does not log any socket events or transaction records of any kind. OK, if someone put a gun to my head and said "put in some code to log everything" then they might be able to discern some pattern like "this coin was issued to this IP address, and then three days later that coin was swapped from this other IP address." OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that.
Perhaps I am mistaken, but the system you describe seems to be unlinkable-by-policy. Lucrative is unlinkable-by-mathematics. I believe the difference is nontrivial. Patrick McCuller
participants (17)
-
Adam Back -
Adam Shostack -
Ben Laurie -
Bill Stewart -
Duncan Frissell -
Harmon Seaver -
James A. Donald -
Jim Choate -
John Kelsey -
John Young -
Kevin S. Van Horn -
Patrick -
Patrick Chkoreff -
R. A. Hettinga -
Steve Schear -
Sunder -
Tim May