CDR: Re: Jim Bell

[Tim May]

At 7:16 PM -0800 11/27/00, Ray Dillinger wrote:
>
>Since this time I was trying to distill a formal protocol
>specification, I was a lot more critical about fine points.
>
>Bell handwaved on the point of obtaining digital cash for
>paying the assassin with.  Bob the broker can go to the

There's often "hand-waving" when reasoning about digital cash and how 
it is transferred, spent, redeemed, etc. Bell is not a cryptographer. 
Also, he didn't claim to have built a working system. (I think any of 
us could be called as witnesses to refute a state claim that he was 
deploying a real system!)

However, much of your reasoning below is _also_ hand-waving.

Fortunately, there's a way to cut through it. I'll cover this at the 
end, after your included section (which I would normally snip, but 
won't this time).


>bank and obtain it in the usual way, of course - but then
>has to transfer it to Alice the assassin, and there's a
>sticky point involved.  If he just "copies" the money to
>Alice, she can double-spend with impunity and it's Bob's
>identity that will be revealed.
>
>Conversely, if she provides tokens for the bank to sign,
>then Bob has a major problem getting them past the cut-and-
>choose protocol at the bank.  Even if she provides enough
>tokens to completely populate the cut-and-choose protocol,
>those tokens still have to have splits of valid identification
>information for somebody in them - and giving them all to
>Bob so that Bob could complete the protocol with the bank -
>would imply that Bob is privy to that information.  Worse,
>the bank will have the information from the cuts it didn't
>choose, and has to make sure it all matches. Thus, Bob the
>Broker and Dave the Banker can identify Alice - or at the
>very least someone whose identification Alice has stolen. 
>
>Finally, Carol the contributor has to have a way to check
>the digital cash that was sent Alice - to make sure Bob
>is not holding out her contribution. This works if Carol's
>original coinage is simply encrypted under the key that the
>successful predictor used - because Carol can perform the
>same computation and make sure that bit string appears in
>the "payment" package.  But then Carol has the same problem
>where Alice can double-spend with impunity and it's Carol's
>identity that will be revealed.  On the other hand, if
>Carol's digital cash is transferred to Bob by protocol,
>there's no way she can recognize it later under encryption. 
>(and under commercial digital cash protocols now in use, no
>way Bob can retransfer it to Carol).  So if Bob deposits the
>money and obtains new digital cash, Carol needs a way to
>look at that digital cash and know that it does in fact
>carry the bank's signatures for the proper amounts - she
>can't recognize her own bills, but she can check that the
>total is correct from the last point at which she could. 
>But Carol has to be provided this information without
>providing her enough information to just spend the cash
>herself. 
>
>In short, AP as described by Bell appears to depend on
>digital cash having some exotic and not-otherwise-very-
>useful properties, including a bank with a protocol that
>allows issue-by-proxy, which has no readily apparent
>commercial use. No protocol for digital cash that I'm
>yet aware of has these properties.  Hence, without some
>major engineering work, and probably the active cooperation
>of some bank, AP as described cannot be implemented.

It's simple:

If payer-anonymity (payer is untraceable by the payee) and 
payee-anonymity (payee is untraceable by the payer) exists, then the 
buyers and sellers of some "thing" are untraceable to each other. 
Whether that "thing" is a piece of warez or a bet in a murder pool 
(cf. Jack London for a much earlier discussion that Bell's).

Arguing how complicated or confusing digital cash can be by citing a 
specific market like AP is what I mean by hand-waving.

If, for example, the Mojo Nation folks succeed in making "mojo" both 
payer-anonymous AND payee-anonymous, then all of the hand-waving 
above is beside the point.


>
>I think some of these problems could be solved by
>engineering; but A, it would be non-trivial work, and B,
>I don't think I care to waste any effort on figuring out
>secure ways to kill people outside the law.
>
>				Bear


RTFM.


--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)