The Pulp Theorem (Re: Digital Cash)

[Adam Back]

On Thu, Jul 12, 2001 at 03:41:57PM -0700, Morlock Elloi wrote:
> > Probably people would be willing to accept other issuers currencies even if
> > they don't know the issuer so long as they had the reputation rating for the
> > currency / issuer.
> > 
> > But anonymous reptuations alone aren't any use as a rational issuer would
> > refuse to redeem if the action didn't adversely affect his reputation -- you
> > need to be assured that the rating of the anonymous issuer will be downrated
> > if they refuse to redeem.
> > 
> > So then perhaps you could proceed by having unlinkably anonymous credentials
> > for reputation with a trap-door for the rating party so that the rating
> > party can identify the pseudonym behind the unlinkable credential and
> > downrate it.  You also want the unlinkable rating credentials to need to be
> > refreshed by the rating credential issuer in order to re-show.  Brands'
> 
> This just shifting the issue without actually solving it - instead of mint
> visibility now we have credential issuer visibility. There goes credential
> issuer.

So I have two types of issuer.  The currency issuer (let's call them mints
to avoid confusion).  Ray has every one a mint (potentially, some users may
choose to use other peoples mints to avoid having to manage the reputation
of their own).  Floating exchange rates based on reptuation of the mint.

Then we have an issuer of one use (and hence unlinkable) credentials
representing the reputation of the mint.  So these are reputation credential
issuers.  My thought was that there would similarly be reputation credential
issuers -- (potentially) everyone a reputation credential issuer.

Also Stubblebine et al have a paper about abuse control with unlinkable
anonymous credentials.  They way they do this is to have one unlinkable
credential which you can show only once.  Then you can trade it for a fresh
unlinkable credential if there have been no complaints against the current
credential.  Because the fresh credential is freshly blinded it's not
linkable.  And yet you retain some scope for abuse control, if the proof of
misconduct arrives before you've handed over the new credential.  (The
Stubblebine paper doesn't say much more than that.  Do a web search if you
want the paper.  It was in the context of unlinkable subscriptions to
services, where you want to renew, but the service operator wants the
ability to cancel abusers of their AUP's subscriptions.)

Seems like this might be usable here.

> The basic point here is that:
> 
> a) most "public" (including me and the few that I talked with) will not
> "trust" money that is pure math, without actual *people* (who can be
> pulped if something goes wrong) behind it. Pulpability (in this special
> meaning) is a key ingredient in trust - you trust someone that agrees to
> be hurt if she misuses the trust. Fuck the math, new advances happen and
> most do not understand it any way.

This seems like a technology trust issue.  It seems just to do with
branding, advertising and common acceptance.  A mag-swipe card could fail, a
bank could empty your acount, their security could fail and someone else
empty your account via ATM.  People trust the systems because their friends
trust them and seem to use them without incident and they want to use the
system because of convenience or some other useful attribute.

> b) The competition (government) will pulp the pulpable mint.
> 
> So, n-way blind e-cash will never happen. It may be a nice thing to
> bullshit about and to do PhD thesis and patents on and thus attract
> chicks, but it will never happen.

Ray's scheme sounds interesting because it's a computer mediated Letts
scheme.  Letts schemes seem to exist with manual book-keeping.

Also trust levels needed to trust in something as a value store are much
higher than purely as a immediately cleared payment mechanism.  With the
reputation system you could even have insurance.

Adam