Re: Thanks for the living hell, and question about OpenSSL
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Major Variola (ret) wrote:
At 02:20 PM 4/25/03 -0400, someone claiming to be Patrick Chkoreff wrote:
(-: The sig is valid for the key at http://fexl.com/keys/patrick.txt)
I was mistakenly thinking that because my sacred code did not
in fact record any IP-based transmission logs, users were safe as far as anonymity and privacy were concerned. What I missed was that if someone put a gun to my head
Generally in security analysis you want to list threat models and how you resist (or not) them. From this you can derive a spec. ... This leads to the conclusion that security is economics + physics. The goal is to make attacks more expensive to your adversary, at "reasonable" cost to you.
Subpeonas are cheap to some.
True. From the thrashing I took yesterday, I conclude that subpoenas and other forceful means of system compromise are very cheap indeed. That assumes the system is big enough to matter to the bad guys, which is definitely false at initial rollout but from the looks of this crowd is likely to remain false forever if the system cannot guarantee protection against that threat. Everybody here wants an improvement over book-entry systems, but nobody will settle for anything less than fully blinded digital notes. The question of whether digital notes can circulate in the wild without server contact but with the ability to identify double-spenders later is up for grabs. Hettinga likes that feature for intrinsic reasons having nothing to do with network reliability or ubiquity. I find it a bit appealing myself because it can help support small social nets of accountability. I have not reviewed the math in detail, but am I to understand that under this protocol ONLY double-spenders can be identified? That is, if you do not double-spend can you be guaranteed anonymity from other recipients down the spend chain? Obviously those in the know share a common threat model that demands blinding. Certainly that has serious implications for the server. In a non-blinded system you can just store a small number of unspent coins and the server can do tricks like include an lseek number in the coin data to make lookup extremely fast. But nobody wants an non-blinded system. Consequently, the server must store a large number of spent coins and because coin identifiers are created randomly out in the wild there is no convenient embedded lseek number. But yes, it is extremely cool that you can get the bank's signature on X without actually revealing X to the bank. Certainly there are more detailed threats than forced compromise to consider. Some precautions you take just because you can -- lock and randomize memory for example. But whether you turn on internal churning mechanisms to prevent timing attacks, put ceramic caps on memory components, put boxes in Faraday cages, etc. is another story altogether. - -- Patrick http://fexl.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPqmwOVA7g7bodUwLEQIW2QCgqNLLeEA/PbOe3dgazARsXvEJJVoAoLYi nPzuhTdEBoXQs0BJ8ysLz92c =E5lc -----END PGP SIGNATURE-----
On Friday, April 25, 2003, at 03:01 PM, Patrick Chkoreff wrote:
The question of whether digital notes can circulate in the wild without server contact but with the ability to identify double-spenders later is up for grabs. Hettinga likes that feature for intrinsic reasons having nothing to do with network reliability or ubiquity. I find it a bit appealing myself because it can help support small social nets of accountability. I have not reviewed the math in detail, but am I to understand that under this protocol ONLY double-spenders can be identified? That is, if you do not double-spend can you be guaranteed anonymity from other recipients down the spend chain?
Obviously those in the know share a common threat model that demands blinding. Certainly that has serious implications for the server. In a non-blinded system you can just store a small number of unspent coins and the server can do tricks like include an lseek number in the coin data to make lookup extremely fast. But nobody wants an non-blinded system. Consequently, the server must store a large number of spent coins and because coin identifiers are created randomly out in the wild there is no convenient embedded lseek number. But yes, it is extremely cool that you can get the bank's signature on X without actually revealing X to the bank.
Regarding "digital notes circulating in the wild without server contact," you need to look at some of the articles here (Cypherpunks) from around 1994-97 on "money changing." Cf. articles by Doug Barnes, Ian Goldberg, myself, and others. Accessible via Google. Basically, there is no reason why intermediaries will not develop who agree to take in digital money and issue new digital money, for a fee. The operation of making change is just this. In principle, and probably fairly quickly in practice, the connection with an "issuing bank" (whatever that strange thing may be) is not needed often. "Everyone a moneychanger" and "agnostic" systems work for reasons that would take a lot of time to get into. Several dozen articles, as noted above, get into this. Having a solid, robust, core system of first-class objects is a step we haven't had. The Mark Twain Bank system was too expensive to do experiments with (and didn't last long enough), and so on for other toy systems. --Tim May "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." -- Nietzsche
On Friday, April 25, 2003, at 03:51 PM, Tim May wrote:
Regarding "digital notes circulating in the wild without server contact," you need to look at some of the articles here (Cypherpunks) from around 1994-97 on "money changing."
Cf. articles by Doug Barnes, Ian Goldberg, myself, and others. Accessible via Google.
Basically, there is no reason why intermediaries will not develop who agree to take in digital money and issue new digital money, for a fee.
The operation of making change is just this.
I should have also made clear that the digital notes do not circulate around and around, without server contact (redemption). For one thing, such circulation would a) expose the digital numbers to copying by intermediaries and b) defeat the idea of untraceability. And if the note were not redeemable, the "stuckee" would have no recourse unless the identity of the links were known (and measures could be taken, blah blah). It is best to think of a digital note as a _relationship_ between a and b: aRb. An arrow. A transfer relationship. Alice sends to Bob a digital money token. What he does with it is another transaction (canonically, he sends it to a bank, and, if it is redeemed, he is satisfied. He may also be a bank, or the digital money token may be a form of money he recognizes, as with a remailer token, a stamp). It is best not to think of there being any intermediate steps. That is, any two nodes linked by an arrow have no other nodes between them. The token does not get passed from hand to hand to hand, no matter how complex a series of transactions is. (To do so invites copying, which leads to the double spending problems so often discussed.) (Digression: Even actual folding money works this way, basically. Alice transfers money to Bob who transfers it to Charles, and so on. Of course, with digital money the same token is not transmitted this way. Each stage effectively reissues the money (or Bob "redeems" the money at a bank, which is a special, terminal case).) "Money" is a loaded term, conjuring up various and often-contradictory images of paper notes, bullion, coins, IOUs, personal checks, cashier's checks, warehouse receipts, bearer bonds, drugs, artwork, wire transfers, SWIFT transfers, etc. The relationship R for money is something which needs to be discussed at more length: there may be forms of R for small value or coin-like uses, for medium value banknote-like uses, or even for high value bearer bond-like or bank-like uses. Just as there are many forms of non-digital money, for various uses and with various levels of security and authentication, so too must one expect various kinds of digital money. First class objects are critically important here, but not in a "one size fits all" sense. (Not sure if this is clear or not...as I said, much more needs to be said.) One of the interesting properties of the relationship R is that it involves _belief_. This is really what money is all about. The fact that one's belief that a $20 banknote with the right Andrew Jackson portrait on it is "real money" is only an expression of one's belief that the odds of it not being accepted by some other party, or by the U.S. Treasury, is close to nil. In areas where banknotes are more commonly forged, and thus not accepted, such a belief would be naive. And so on for various other forms of money. Even digital money. Which gets us into reputations and ping systems (with blinding, an issuer can decide to "burn" (renege on) particular users, which makes repudiation difficult and not something banks which wish to stay in business will lightly do). Properties of these graphs (or, in certain interesting cases, lattices) are crucial to understanding digital money. --Tim May "The Constitution is a radical document...it is the job of the government to rein in people's rights." --President William J. Clinton
At 06:01 PM 4/25/03 -0400, Patrick Chkoreff wrote: ...
True. From the thrashing I took yesterday, I conclude that subpoenas and other forceful means of system compromise are very cheap indeed.
It's not that they're cheap, it's that they're cheaper than alternative attacks against blinded cash systems, where linking the coin and the withdrawer is information-theoretically prevented (e.g., the blinded coin carries zero information about the user).
- -- Patrick http://fexl.com
--John Kelsey, kelsey.j@ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
participants (3)
-
John Kelsey -
Patrick Chkoreff -
Tim May