CDR: Re: Jim Bell
Ray Dillinger
bear at sonic.net
Mon Nov 27 19:16:58 PST 2000
On Mon, 27 Nov 2000, A. Melon wrote:
>Newby puzzles:
>
>> Right, I agree.
>>
>>But what I'd like to consider is a recipe for "plain ordinary"
>>folk to conspire anonymously to commit murder.
>
> Did you even bother to read AP? RTFM, dude!
Speaking as someone who has very recently read AP, the
protocol presented therein is incomplete.
I'm collecting protocols, trying to write a reference work
of them, and, well, I'm most of the way through the A's so
the other day I looked at Assassination Politics again.
Since this time I was trying to distill a formal protocol
specification, I was a lot more critical about fine points.
Bell handwaved on the point of obtaining digital cash for
paying the assassin with. Bob the broker can go to the
bank and obtain it in the usual way, of course - but then
has to transfer it to Alice the assassin, and there's a
sticky point involved. If he just "copies" the money to
Alice, she can double-spend with impunity and it's Bob's
identity that will be revealed.
Conversely, if she provides tokens for the bank to sign,
then Bob has a major problem getting them past the cut-and-
choose protocol at the bank. Even if she provides enough
tokens to completely populate the cut-and-choose protocol,
those tokens still have to have splits of valid identification
information for somebody in them - and giving them all to
Bob so that Bob could complete the protocol with the bank -
would imply that Bob is privy to that information. Worse,
the bank will have the information from the cuts it didn't
choose, and has to make sure it all matches. Thus, Bob the
Broker and Dave the Banker can identify Alice - or at the
very least someone whose identification Alice has stolen.
Finally, Carol the contributor has to have a way to check
the digital cash that was sent Alice - to make sure Bob
is not holding out her contribution. This works if Carol's
original coinage is simply encrypted under the key that the
successful predictor used - because Carol can perform the
same computation and make sure that bit string appears in
the "payment" package. But then Carol has the same problem
where Alice can double-spend with impunity and it's Carol's
identity that will be revealed. On the other hand, if
Carol's digital cash is transferred to Bob by protocol,
there's no way she can recognize it later under encryption.
(and under commercial digital cash protocols now in use, no
way Bob can retransfer it to Carol). So if Bob deposits the
money and obtains new digital cash, Carol needs a way to
look at that digital cash and know that it does in fact
carry the bank's signatures for the proper amounts - she
can't recognize her own bills, but she can check that the
total is correct from the last point at which she could.
But Carol has to be provided this information without
providing her enough information to just spend the cash
herself.
In short, AP as described by Bell appears to depend on
digital cash having some exotic and not-otherwise-very-
useful properties, including a bank with a protocol that
allows issue-by-proxy, which has no readily apparent
commercial use. No protocol for digital cash that I'm
yet aware of has these properties. Hence, without some
major engineering work, and probably the active cooperation
of some bank, AP as described cannot be implemented.
I think some of these problems could be solved by
engineering; but A, it would be non-trivial work, and B,
I don't think I care to waste any effort on figuring out
secure ways to kill people outside the law.
Bear
More information about the cypherpunks-legacy
mailing list