CDR: Re: Jim Bell

[Ray Dillinger]

On Mon, 27 Nov 2000, A. Melon wrote:

>Newby puzzles:
>
>> Right, I agree.
>>
>>But what I'd like to consider is a recipe for "plain ordinary"
>>folk to conspire anonymously to commit murder.
>
>        Did you even bother to read AP? RTFM, dude!

Speaking as someone who has very recently read AP, the 
protocol presented therein is incomplete.

I'm collecting protocols, trying to write a reference work 
of them, and, well, I'm most of the way through the A's so 
the other day I looked at Assassination Politics again. 

Since this time I was trying to distill a formal protocol 
specification, I was a lot more critical about fine points.

Bell handwaved on the point of obtaining digital cash for 
paying the assassin with.  Bob the broker can go to the
bank and obtain it in the usual way, of course - but then 
has to transfer it to Alice the assassin, and there's a 
sticky point involved.  If he just "copies" the money to 
Alice, she can double-spend with impunity and it's Bob's 
identity that will be revealed. 

Conversely, if she provides tokens for the bank to sign, 
then Bob has a major problem getting them past the cut-and-
choose protocol at the bank.  Even if she provides enough 
tokens to completely populate the cut-and-choose protocol, 
those tokens still have to have splits of valid identification 
information for somebody in them - and giving them all to 
Bob so that Bob could complete the protocol with the bank - 
would imply that Bob is privy to that information.  Worse, 
the bank will have the information from the cuts it didn't 
choose, and has to make sure it all matches. Thus, Bob the 
Broker and Dave the Banker can identify Alice - or at the 
very least someone whose identification Alice has stolen.  

Finally, Carol the contributor has to have a way to check 
the digital cash that was sent Alice - to make sure Bob 
is not holding out her contribution. This works if Carol's 
original coinage is simply encrypted under the key that the 
successful predictor used - because Carol can perform the 
same computation and make sure that bit string appears in 
the "payment" package.  But then Carol has the same problem 
where Alice can double-spend with impunity and it's Carol's 
identity that will be revealed.  On the other hand, if 
Carol's digital cash is transferred to Bob by protocol, 
there's no way she can recognize it later under encryption.  
(and under commercial digital cash protocols now in use, no 
way Bob can retransfer it to Carol).  So if Bob deposits the 
money and obtains new digital cash, Carol needs a way to 
look at that digital cash and know that it does in fact 
carry the bank's signatures for the proper amounts - she 
can't recognize her own bills, but she can check that the 
total is correct from the last point at which she could.  
But Carol has to be provided this information without 
providing her enough information to just spend the cash 
herself.  

In short, AP as described by Bell appears to depend on 
digital cash having some exotic and not-otherwise-very-
useful properties, including a bank with a protocol that 
allows issue-by-proxy, which has no readily apparent 
commercial use. No protocol for digital cash that I'm 
yet aware of has these properties.  Hence, without some 
major engineering work, and probably the active cooperation 
of some bank, AP as described cannot be implemented.

I think some of these problems could be solved by 
engineering; but A, it would be non-trivial work, and B, 
I don't think I care to waste any effort on figuring out 
secure ways to kill people outside the law.

				Bear