Re: Geodesic Payment Systems? (was Re: Meeting notes from ANSI X.9Meeting on Electronic Payment)
From: IN%"nsb+limbo@nsb.fv.com" "Nathaniel Borenstein" 5-DEC-1995 09:37:47.34 A true geodesic structure is self-supporting and self-structuring. A cryptographic infrastructure can and should be similar, I agree completely. However, a *monetary* infrastructure needs convertability, and the points of conversion are always the best targets of attack for criminals. (I've been casting about for an analogy to physical geodesics, and it's hard to find one. The best I can come up with is to imagine that in order to convert a carbon buckyball to a more conventional set of carbon molecules, you had to do it through a service bureau that was capable of error, fraud, or subversion by outside criminals. This would ONLY matter if you ever wanted to do such conversions, but it would matter a lot then, especially if you had to suffer a serious financial loss if you got the wrong carbon molecules at the end of the process.) IF you wanted to settle for a totally non-convertible economy (like rubles in the old Soviet Union, or like the LETS system on the net today, as I understand it) then you could build it geodesically. But if you want to be able to convert back and forth between Internet payment systems and non-Internet payment systems, it can never be truly geodesic. It will always be attackable at the points of conversion. (You may "trade digital certificates", but how do you know the ones you're receiving were obtained for legitimate real-world value?) Because of this, the underwriting financial institutions, who have a very reasonable desire to limit their own risk, will inevitably seek the protection-by-traceability offered by something less than perfect anonymity. We may not like it, but it's a very natural position to be taken by those who are actually bearing the financial risks at the point ---------------------------- All of this is assuming that the digital currency being produced has a one-to-one ratio with some "real" currency. If, for instance, the digital certificates were indeed bought with a one-to-one ratio from the producer, but were traded to others for "real" cash at some market-determined discount, the market would incorporate the risk. The traders who were willing to take the risk that the certificates were not actually worth one dollar/whatever would be able to make a profit by the difference between one digital dollar and one "real" dollar. The problem is simplified even more with privately backed currencies. -Allen
Excerpts from mail.nonpersonal: 5-Dec-95 Re: Geodesic Payment System.. "E. ALLEN SMITH"@mbcl.ru (2487)
All of this is assuming that the digital currency being produced has a one-to-one ratio with some "real" currency. If, for instance, the digital certificates were indeed bought with a one-to-one ratio from the producer, but were traded to others for "real" cash at some market-determined discount, the market would incorporate the risk. The traders who were willing to take the risk that the certificates were not actually worth one dollar/whatever would be able to make a profit by the difference between one digital dollar and one "real" dollar. The problem is simplified even more with privately backed currencies.
I had assumed that there was a market discount, but it's still not quite that simple. It's very hard for markets to deal with *unbounded* risk. The biggest problem I see with most of the crypto-cash schemes is that there is a legitimate scenario -- however low-probability you might assess it to be -- of break-the-bank catastrophic failure, i.e. in which someone gains the keys that allow him to essentially print money. This kind of low-probability, infinite-cost risk is the kind of thing that gives underwriters the heebie jeebies. There's a good reason that most companies have "Ltd" after their name instead of "Unlimited", in those countries where that's the naming convention. Excerpts from mail.nonpersonal: 5-Dec-95 Re: Geodesic Payment System.. Wei Dai@eskimo.com (1749*)
But if we're converting between one eletronic system and another, then cryptographic protocols reduce the cost of protection to nearly zero for even small organizations.
This is probably true, although protocol translation is a notoriously tricky and subtle business. But my comments were aimed at the conversion between electronic and physical monetary systems, not between different electronic systems. And, for this purpose, totally non-Internet mechanisms such as SWIFT or US ACH are, in my view, "physical" systems, for a number of historical reasons. If you disagree with that classification, however, you just push the line down a little further, but don't change the underlying assessement. -- NB -------- Nathaniel Borenstein <nsb@fv.com> | (Tense Hot Alien In Barn) Chief Scientist, First Virtual Holdings | VIRTUAL YELLOW RIBBON: FAQ & PGP key: nsb+faq@nsb.fv.com | http://www.netresponse.com/zldf
On Wed, 6 Dec 1995, Nathaniel Borenstein wrote:
I had assumed that there was a market discount, but it's still not quite that simple. It's very hard for markets to deal with *unbounded* risk. The biggest problem I see with most of the crypto-cash schemes is that there is a legitimate scenario -- however low-probability you might assess it to be -- of break-the-bank catastrophic failure, i.e. in which someone gains the keys that allow him to essentially print money. This kind of low-probability, infinite-cost risk is the kind of thing that gives underwriters the heebie jeebies. There's a good reason that most companies have "Ltd" after their name instead of "Unlimited", in those countries where that's the naming convention.
I find this argument totally unconvincing. No risk is unbounded. The worst thing that can possibly happen is that a nearby star goes supernova and completely destroys the earth. Yet markets handle this low-probability risk quite well. The direct cost of a break-the-bank catastrophic failure is bounded by the amount of capital the bank has. This is because the market will not accept more liabilities (real or forged) from the bank than its capital. There may be other indirect costs resulting from dislocations, but these should also be proportional to the size of the bank. Therefore your argument is really against centralization and for diversification and distribution. Wei Dai
Wei Dai writes:
[ infinite-cost risk ]
... The direct cost of a break-the-bank catastrophic failure is bounded by the amount of capital the bank has. This is because the market will not accept more liabilities (real or forged) from the bank than its capital. There may be other indirect costs resulting from dislocations, but these should also be proportional to the size of the bank. Therefore your argument is really against centralization and for diversification and distribution.
Why "the bank", rather than "all banks"? If there is a single cryptographic point of failure in a widely used ecash system, it seems unlikely that diversity would buy you anything. The worry would not be the compromised keys of a single bank, but rather, say, an effective cryptanalysis. I would put this in the supernova class; it may be just as unlikely. Peter Monta
participants (4)
-
E. ALLEN SMITH -
Nathaniel Borenstein -
Peter Monta -
Wei Dai