I sent messages pertaining to the anonymous auditing problem to Neils Ferguson, and like someone who hopes the property owner forgives the trespass that occurs when someone walks up and rings the doorbell, I hope he doesn't "have a cow" that I'm sharing some of his remarks.
The anonymous auditing problem is, as far as I have understood, not well defined.
Duh!!! Ahem...
The purpose is to allow an external auditor compute the sum of all the banks commitments without revealing the individual commitments to the auditor. The problem is: who is going to provide the data to the auditor?
The simplest answer would be that the customers are going to provide the data. In this case the voting protocols described in literature are a good start. It should even be possible to have the bank provide signed account statements for a specific date to all clients which are then used in the protocol to prevent clients from cheating and thereby generating a false result in the audit. But any such scheme is not practical as ALL customers have to cooperate.
If the bank is going to supply the information to the auditors, then there must be some way to stop the bank from creating an entire `shadow' bookkeeping. That is, the data must include some kind of customers signature on the balance of each bankaccount, and the public key of this customer must somehow be verified to belong to a real person (to ensure that it was not generated by the bank itself). The authentication of a public key and linking it to an actual person requires another institution (government?) which keeps track of people and authenticates that they are actual living persons.
Note that all this information does not have to be revealed to the auditor, but it is necessary as input to the cryptographic protocol. In general a cryptographic protocol cannot achieve anything that a computer which is trusted by all parties cannot achieve. If someone could give a description of the required functionality of this virtual trusted computer, then the cryptographers can try to make it into a protocol (and then try to make it practical).
Did I miss something when I quickly read your mail or is the notion of an anonymous auditing still vague?
I havn't studied voting schemes but most of them have serious flaws. Many of them have difficulty handling a dishonest minority, or require too much resources to be practical. One requirement for voting schemes which I have not seen in literature is the unprovability. After voting a voter should not be able to prove what she voted to another party. If this were possible, then buying votes (or blackmailing people to vote a certain way) becomes possible. The old Italian voting system had so many possibilities to cast your vote that this was used by the Mafia in certain areas. They would approach a person and basically state: "You'd better make sure that there is a ballot with exactly these choices in the result or else....".
I don't read the cypherpunk mailing list. If it were a newsgroup I would find it quite interesting, but as a mailing list it is much harder for me to selectively read the articles. Also, my mail handler doesn't support a kill file. When I tried a subscription I found the signal to noise ration to be too low to read it as a mailing list. The volume was also so high that it drowned out my other e-mail. With a newsgroup you can safely ignore it for a while. Maybe I should get a better mail handler, but when I mentioned this problem to Eric Hughes, he said that they could have created a newsgroup but decided not to. A clear mistake in my opinion. Anyways, maybe someone will create an alt.cypherpunk newsgroup and put up a gateway from the mailing list to the newsgroup.
Niels Ferguson can be reached at niels@cwi.nl, and I'm sure one of you finks will rat on me and tell him I'm betraying confidentiality. Well, go ahead, you'll see what I do to you. Kent - <jkhastings@aol.com>
participants (1)
-
Hastings@courier8.aero.org