Date: Fri, 20 Jan 1995 19:36:34 -0500 From: jrochkin@cs.oberlin.edu (Jonathan Rochkind)

Certainly, that's what money is after all. Pretty much. But how are you going to transfer these IOUs electronically in a way that is relatively fraud-proof? [...]

By only trading with trusted partners. Read on...

And of course, if you want to use these certificates of value anonymously, which is what is required to pay for an anon remailer, there are some slightly more stringent requirements. The right kind of ecash protocol can still handle it. But Carol probably shouldn't be paying for a remailer in CarolBucks (or CarolIOUs, whatever), at least not unless Carol is such a big spender that CarolBucks are in wide circulation and used by lots of people other then Carol. Which I guess is possible in your system.

If the remailer operator trusts Carol, then Carol and the Op can exchange Op-IOU's for money, or Carol-IOU's for Op-IOU's. (This is the base case of the induction for you math geeks.) Carol can use the Op-IOU's directly with the Op or 'sell' them to people who want to do business with the Op. If the remailer operator doesn't trust Carol, but there is a chain of trust from Carol to the remailer operator, then Carol can get IOUs from someone which the remailer operator does trust. Call them Jo-IOUs. To do this Carol asks Pat who asks ... who asks Jo for an IOU worth $32. Carol gives Pat a Carol-IOU worth $32(+transaction fee is Pat is a greedy sole) in exchange for which Pat gives Carol the Jo-IOU worth $32 (which Carol got from Pat (which Pat got from some place only Pat knows for sure)). IOU swaps will probably be done under the cover of encryption. Swaps can also be done with a nice ecash system like Chaum and Brandt(sp?) have proposed. But I am not sure it is required. Anonymity can come also from the chain of IOU swaps, in the same way remailers produce anonymity -- each person neglects to tell any others for whom they carry out IOU swaps. Sure Pat knows Carol wants a Jo IOU, but Pat doesn't know why. Jo could figure out that Jo's IOU went out to W.Smith, and came back from V.Jones but can't make any conclusion about weather W. and V. are trading partners or not. It would take a conspiracy of each person along the swap path to expose the real trade. Alternatively the buyer or seller can out the transaction. (But suppose they only know each other via some anonymous email pool...) And privacy (from other than your trading partners) comes from using encryption during each IOU swap. But if you don't trust your trading partners enough to keep quiet about who you are, by all means use an untraceable ecash system. (There are other advantages to using blind signatures anyway.)

A pseudo-anarchist non-state-supported debt system would work fine, but you still need a mechanism to transfer your certificates of value, whether they

Well... TackyTokens, and a little bit (ha!) of client code (start with Sameer's?) ought to do the trick. (So perhaps the original message's subject ought to have been "Why Ebanks? Why not a web of debt-trust?" since it is the central bank I am avoiding here. Not tacky tokens.) But it isn't really necesary. Read on...

[...] There are advantages and disadvantages to that sort of thing, and it might be something interesting to think about, but

One problem with getting an ecash system off the ground is making the tokens worth moeny. The advantage of a distributed web-of- debt/trust model is that I only need to trade IOUs for US$ with a few trusted friends. I don't need to go to any kind of central bank. No central bank means no central point to be attacked with guns, hacks, or taxes. No central bank means no credit card numbers, money orders, or green backs mailed away to strangers. Another cool thing, and the reason you don't need Chaumian digital cash, is that the only people you can steal from (or who can steal from you) are your trusted friends! If I pass a bogus token in exchange for a real IOU, then I just ripped off my friend. The only place two non-friends interface is at the final buyer-seller interface. If the seller refuses to honor the token, the buyer can ask the friend who gave it to them for a refund, who can ask for a refund from ... until the token gets back to the thief. The thief can either steal from their friend by refusing the refund, or infact honor the bogus token, and eat the loss (if any). One bad thing is anyone can deny service to people by passing bogus tokens, and then refunding them. Lukily the friends of the blocker will notice that when getting tokens through that person, the number of refunds is higher than average. In that case, the blocker can be removed from lists of their friends, and cut out of the economy. Denial of service can be prevented another way too -- but it does require Chaumian blind signatures. Instead of trading a Carol-IOU for any old Jo-IOU, Carol might demand a Jo-IOU which is a signature on a particular (blinded) secret number. Just as if Carol were doing a TackyToken protocol exchange directly with Jo. If Carol gets a thing from Pat which isn't signed by Jo, Carol complains to Pat. If Carol gets a thing which un-blinded isn't a signature by Jo of Carol's secret number, Carol again complains to Pat. Symbolically: instead of a <-> b, then b <-> c, then ... y <-> z; do a -> via b -> via c ... via y -> z signs -> via y ... via b -> to a. The disadvantage is that Pr0duct Cypher's Tacky Token code would need to be hacked a bit more. And then there is the nasty old issue of algorithm patents. Noyb