The Crypto Winter

Tim May tcmay at got.net
Mon Nov 19 11:46:45 PST 2001 

On Monday, November 19, 2001, at 10:29 AM, Adam Shostack wrote:
> | 6. The failure to get true digital money. Call it what you like,
> | "digital cash" or "ecash" or even one of Hettinga's pet names, but the
> | fact is that for both political and technical reasons we don't have
> | digital cash. This has ripple effects for nearly all of the constructs
> [...]
> | This failure to get workable untraceable digital cash (true 2-way
> | untraceable, not the bastardized, banker-friendly, government-friendly
> | one-way untraceable form) is the _deep_ reason things are stagnating.
>
> Sad as it makes me, I don't know of any system which allows 2-way
> untracability and fraud prevention.  Can you point me to one?  With
> trustworthy reputation systems, you might be able to get away from
> this problem.  I don't know of any reputation system that I'd trust
> for a multi-hundred dollar transaction today.


Doesn't the Barnes/Goldberg "moneychanging" protocol effectively 
symmetrize the untraceability?

Even if the protocol is payer-untraceable-but-payee-traceable, the 
moneychanging protocol makes both untraceable. (Alice-Bob-Charles.)

I'm not handwaving here, I hope, but the lack of blackboards and enough 
time (on all of our parts) to make sure our notation is correct, makes 
it tough to argue. Folks should go back to several articles written by 
Ian, Doug, and others. Circa 1996-7, as I recall. Also, some demos as CP 
physical meetings.

There are issues of one party receiving part or all of the items being 
transferred and then burning the other party. And if the items, whether 
ecash or software or whatever, require later authorization/turn on to 
complete the transaction, there are further burning opportunities. (Note 
that this is not a problem unique to digital cash. There are always 
prospects for a merchant taking the money and then saying "Bye," or "I 
already gave you the stuff." Or delivering defective products. This is a 
kind of "handover deadlock" which, nonetheless, has not halted commerce 
of various kinds. Even at flea markets, where the sellers and buyers are 
largely anonymous. I realize that digital commerce systems have higher 
requirements, for the same (basic ontology of the world) reasons that 
security flaws in digital systems may be exploited far more rapidly and 
devastatingly than, for example, a security flaw at my house.)

My _intuition_ is that an ecology of agents each exchanging digital 
money, even if the system in only uni-directionally untraceable, with 
"anyone a mint," goes a long way toward solving the problem. Squares the 
circle, so to speak. Throw in escrow agents and intermediate holders, 
bonded with nyms, and I see no particular reason why two-way 
untraceability is not feasible.

But let me make a meta-point:

We know that David Chaum, for various reasons, initially claimed two-way 
untraceability. We also know that he later emphasized offline clearing 
and "monitors" to deal with double-spending and repudiation problems. He 
also appeared to emphasize payer-untraceability (so that Alice could not 
have her purchases tracked by BobCo Enterprises) and claimed at one 
point that he could not see any need for payee-untraceability.

(I refuted this to his face at a CFP, circa '97, by citing Bob the 
Seller of Birth Control Information, facing arrest and whatnot if caught 
selling banned information. This is just one of a huge class of 
situations where sellers are as much at risk as buyers. David had no 
answer, saying "Hmmmhhh...I'll think about it," or words to that effect. 
Him being an obviously very bright thinker, and him having spent many 
years thinking about these issues, I was and still am at a loss to 
understand why he would think payee untraceability is not needed.)

So, here's the punchline,

Regardless of companies trying to make money, not be run out of business 
by money laundering laws, trying to be banker- and Homeland 
Fascism-friendly, IS THERE A FUNDAMENTAL REASON WHY TWO-WAY 
UNTRACEABILITY IS NOT "POSSIBLE."	

I believe counterexamples have already been developed, showing there is 
nothing wired into the nature of mathematics that makes two-way 
untraceability impossible. I'll save these examples for later.


--Tim May
"As my father told me long ago, the objective is not to convince someone
  with your arguments but to provide the arguments with which he later
  convinces himself." -- David Friedman

More information about the cypherpunks-legacy mailing list