Fwd: (micro)payments for anonymous routing in Tor?

6 Jul 2018

      Gee, this sounds familiar. :-)

I remember talking about cash-settled routing with Vinnie Moscaritolo,  
while bouncing around in his bumper-sticker-festooned Toyota pickup  
when I did my first Apple talk in 1995 or so. It's kinda like  
Feynman's "patent" for the atomic powered bomber, one of the first  
things you bump into when you think about how small bearer  
transactions could go. No doubt the Agorics guys were talking about  
something equivalent in the "digital silk road" days; turtles all the  
way down, and so on.

Cash-settled routing is essentially a streaming cash application, just  
like streaming music, or a whole lot of other things, if you hop back  
and forth across the particle/wave phenomenon that is the world of  
internet protocols.

The simple way to deal with double spending of streaming coins is to  
assay (statistical sample) the coins in real-time, do a redeem-reissue  
on assay, and to do a redeem/reissue on all your coins after  
completion of the transaction to make sure that the coins you have  
aren't double spent.

Or not, I suppose. The risk is entirely yours, same as it ever was  
with off-line or, in the case of streaming, quasi-offline, transactions.

As an underwriter (I hate the word bank for various reasons), I would  
assay coins randomly on redemption and pay for the whole lot to save  
myself and my customers time and bandwidth.

As for the coins themselves we were looking at Shamir/Rivest's  
micromint for this the first time around, but Nicko wrote a paper for  
FC00 showing that simple rsa-signed coins are more scalable from case  
zero.

BTW, I think of "coins" as things requiring probabilistic settlement  
like this, and "notes" as things requiring individual settlement, like  
blind-signature instruments. Obviously, Moore's Law determines the  
"thermocline" ("pecunicline"? :-)) for this, the boundry layer between  
"coins" and "notes". I chose probabilistic settlement, because  
micromint, and other streaming coin applications, pretty much require  
a factory to produce the coins, just like it takes a whole factory to  
make one penny, the first being the most expensive, economies of  
scale, and all that.

Of course, Rivest/Micali's "Peppercoin" is the exception that proves  
the notes/coins decision-rule, because, while a completely book-entry  
transaction, it's probabilistically settled, Peppercoin being a  
"lottery" where you write an arbitrarily large number of biometric- 
identity checks and pay only one of them. So Pepper*coin* is really  
Pepper*check*, but, obviously, that name would probably make the VCs  
eyes glaze over, so its just as well they didn't use it.

Anyway, for TOR itself, like anonymous remailers, cash settlement,  
streaming or otherwise, is necessary, because the economics of the  
idea at the moment is entirely transfer-priced, meaning that, like  
open source -- or other advertisement-supported media :-) -- the  
product is included "free" in transactions for other things. Since  
anonymity is, shall we say, atomistic in its necessity, it's hard to  
support it with something else besides cold, hard, cash.

Cheers,
RAH

Begin forwarded message:
...
From: Eugen Leitl <eugen@leitl.org>
Date: September 24, 2008 4:43:14 AM GMT-04:00
To: cypherpunks@al-qaeda.net
Subject: Re: (micro)payments for anonymous routing in Tor?
----- Forwarded message from Josh Albrecht <thejash@gmail.com> -----
From: Josh Albrecht <thejash@gmail.com>
Date: Wed, 24 Sep 2008 03:44:39 -0400
To: or-talk@freehaven.net
Subject: Re: (micro)payments for anonymous routing in Tor?
Reply-To: or-talk@freehaven.net
...
* payments turn it into a service with an expected outcome.   
Assumably
(among others) that is 1) your anonymity is maintained and 2) your  
payment
is completed successfully.  What happens _when_ something goes  
wrong? As of
now, the first thing that Tor says is "This is experimental  
software. Do not
rely on it for strong anonymity. " It would have to add, "Do not  
rely on
this to successfully route your financial transactions" and while  
the first
is a warning most can accept, the second may really scare us.
This came up on IRC as well.  Someone pointed out that the paper's
assumption of "honest but curious" banks might not be valid (ie, the
bank might cheat).  However, there are a few counter-arguments to that
that I see.
For the S-coins, it will be immediately obvious to a relay that the
bank is cheating, because the relay can validate whether the payment
is good or not on its own.  For the A-coins, the answer is trickier.
The relays can still check the validity of the payment, but the client
could be "double-spending".  If the bank pays A-coins even in the case
of double-spending, the bank can never cheat.  The downside is that
anonymous clients can then cheat to get slightly more value for
A-coins than they put in.  This is a serious problem because it would
allow the client to pay multiple relays that they control, essentially
duplicating their money for free.
Thus, the bank must decline all payment for double-spent A-coins, or
at least allow only one payment for any A-coin.  However, clients can
still validate that the bank is not cheating by withdrawing and
depositing A-coins at any time in an attempt to catch the bank
cheating.  This is more of an economic argument--the bank has an
incentive to maintain user trust so that it can continue to do
business.  The value gained by cheating some users of A-coins would
likely be less than the expected gain from NOT having to worry about
the risk of someone demonstrating that the bank is cheating.
Also, the values at stake are:  1.  very small, and 2.  greater than
the current profit of zero for relay operators.  It's not that relay
operators have to rely on Tor for their financial security--they
could, with this scheme, make some modest amount to cover their costs.
No single relay operator should ever have a significant amount of
money in the system that could possibly be at risk.
...
On Wed, Sep 24, 2008 at 12:05 AM,  <tor-operator@sky-haven.net>  
wrote:
How do you pay anonymously yet have the system fairly permit "paid"  
traffic to
have higher priority?  With anonymity intact, how do you audit and  
enforce
this policy?
I think your first question was about how to ensure that giving
priority to certain traffic does not introduce any new attacks against
anonymity?  In that case, I'm not sure, but it is not at all clear to
me that this would decrease anonymity.  Does anyone see such an
attack?
As for the second question, I think it was:  what prevents relay
operators from choking off all unpaid traffic, in order to maximize
profits?  As an answer to that, I'd say that not much prevents them
from doing that.  Perhaps there are anonymity benefits to allowing
unpaid traffic as well (since there would be more ambiguity as to the
original source of the traffic).  There might also be ethical benefits
to allowing unpaid traffic, ie, much the same motivation for the
current operators of Tor relays.  Finally, if this were the default
behavior, novice users would be unlikely to change it, and that alone
might be enough bandwidth for unpaid users.
Thanks for the thoughts!
- Josh
----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

R.A. Hettinga

tags

participants (1)