Geodesic Payment Systems? (was Re: Meeting notes from ANSI X.9 Meeting on Electronic Payment)

[Nathaniel Borenstein]

[I'll respond to several people's comments on this thread all at once.]

Excerpts from mail.limbo: 6-Dec-95 Re: Geodesic Payment System.. Robert
Hettinga at shipwrig (6688*)

> >To be perfectly clear:  our minimum service charge is 30 cents, not 5
> >dollars.  If we didn't think it was worthwhile to take transactions that
> >small, we wouldn't do so.

> Fine. Are we including the cost of the credit card transaction to the
> consumer? Fees, interest, that stuff? There are lots of hidden costs in a
> book entry system. With a bearer-certificate system, the price is the
> spread between the certificate's bid and asked prices for (a traveller's
> check, for instance, is asked at a primium, and redeemed at face value, for
> instance. That's all the cost of using them.)

This includes *everything*.  The 29 cents plus 2% includes all
credit-card related fees.  

> That may be true, Nathaniel, but just because the people who bring the
> money off the net need to be identified to the digital cash underwriter's
> (actually the underwriter's bank's) satisfaction, doesn't mean that the
> trades on the net can't be totally anonymous. We've gone over this before.

Yes, this is absolutely true.  I didn't mean to imply otherwise.  The
question is whether or not the possibility of true anonymity in the net
transactions might widen the door for fraud on the conversion.  I think
that it does, in the sense that there's no good way to answer the
question, "is it reasonable for Robert Hettinga to be cashing in $2
million of ecash today?"  In a non-anonymous system, audit trails could
be called up automatically on any "suspiciously large" transaction, and
this would help to limit fraud (along with some other, less desirable
social consequences).  I'm not saying that this kind of accountability
would necessarily be a good thing, merely trying to explain why banks
are leery of true anonymity.

> So, given that model, what's the problem?

None at all, if you can find an underwriter who is comfortable with the
fact that his investigative options will be limited in the case of
suspiciously large or suspiciously frequent "cash out" events from a
given customer.  Apparently Mark Twain Bank finds that risk acceptable. 
I'm sure the larger banks will be watching quite closely.

Excerpts from mail.limbo: 6-Dec-95 Re: Geodesic Payment System.. Wei
Dai at eskimo.com (1462*)

> >..... There's a good reason that most
> > companies have "Ltd" after their name instead of "Unlimited", in those
> > countries where that's the naming convention.

> I find this argument totally unconvincing.  No risk is unbounded.  The 
> worst thing that can possibly happen is that a nearby star goes supernova 
> and completely destroys the earth.  Yet markets handle this 
> low-probability risk quite well.

> The direct cost of a break-the-bank catastrophic failure is bounded by the 
> amount of capital the bank has.  This is because the market will not 
> accept more liabilities (real or forged) from the bank than its capital.  
> There may be other indirect costs resulting from dislocations, but these 
> should also be proportional to the size of the bank.  Therefore your 
> argument is really against centralization and for diversification and 
> distribution.

I'm sorry, when I said "unbounded" I was talking in a practical sense. 
Very few banks are willing to undertake a venture in which there is a
very-low-probability risk of a failure that is only bounded by their
total asset pool.  Technically, you are correct, that is always the
practical bound.  From a bank's perspective, however, "enough to break
the bank" is a good working definition of "unbounded risk".  They like
their risk bounded at a slightly lower threshhold... :-)

Excerpts from mail.limbo: 6-Dec-95 Re: Geodesic Payment System.. "E.
ALLEN SMITH"@mbcl.ru (1656)

> 	The risk in question is not infinite-cost. If the person who gets
> ahold of the keys starts simply making lots and lots of money, in a free
> market the prices in digital cash for everything will start going up. This
> phenomenon will be spotted, and those taking the particular variety in
> question will stop accepting it. Losses are limited to however much was out
> there at a given time, and if there are multiple systems with free-market
> interconversion between them, that may not be very much. People will move
> out of a decaying monetary system if: A. the new system is as easy to get
> as the old; and B. the new system is as easy to spend as the old.
> 	If the person who gets the keys simply uses them on a small scale,
> then the resulting inflation and loss of value can simply be dealt with
> using the discount mechanism. It's no longer infinite risk.

Basically, the criminal in this scenario has a choice between greed and
vandalism.  If he's motivated by greed, and he's clever, he'll push
things slowly in the inflationary direction, as you describe.  If he's a
vandal or terrorist at heart, however, he might get more satisfaction
out of generating the equivalent of overnight inflation at the
billion-percent level.  That's not a decaying monetary system, it's a
suddenly-collapsing monetary system.   The only difference between those
two scenarios is the quantity of bad money the criminal chooses to print
and distribute.  (Note that this is very different from physical
counterfeiting, where the logistics of actually feeding trillions of
dollars into the money supply are quite daunting, and make the
catastrophic-vandal scenario more or less impossible.)

Excerpts from mail.limbo: 6-Dec-95 Re: Geodesic Payment System.. Peter
Monta at qualcomm.com (892*)

> Why "the bank", rather than "all banks"?  If there is a single
> cryptographic point of failure in a widely used ecash system,
> it seems unlikely that diversity would buy you anything.  The
> worry would not be the compromised keys of a single bank, but
> rather, say, an effective cryptanalysis.  I would put this in
> the supernova class; it may be just as unlikely.

There's a big difference between breaking the algorithm and stealing the keys.

To break a cryptographic algorithm requires either a revolutionary
mathematical discovery or the discovery of a subtle coding flaw.  The
former is in the supernova category, and the latter is probably in the
"major hurricane" category.  However, stealing the keys is a relatively
simple computer crime.  You break into a computer somewhere and steal
some information.  It only breaks a single bank, but that's enough to
satisfy most criminals.....  -- Nathaniel
--------
Nathaniel Borenstein <nsb at fv.com>       | (Tense Hot Alien In Barn)
Chief Scientist, First Virtual Holdings | VIRTUAL YELLOW RIBBON:
FAQ & PGP key: nsb+faq at nsb.fv.com       | http://www.netresponse.com/zldf