The Crypto Winter

[Ken Brown]

Tim May wrote:

> So, here's the punchline,
> 
> Regardless of companies trying to make money, not be run out of business
> by money laundering laws, trying to be banker- and Homeland
> Fascism-friendly, IS THERE A FUNDAMENTAL REASON WHY TWO-WAY
> UNTRACEABILITY IS NOT "POSSIBLE."
> 
> I believe counterexamples have already been developed, showing there is
> nothing wired into the nature of mathematics that makes two-way
> untraceability impossible. I'll save these examples for later.

I don't know if there is. I'll have to think about it. Any train of
thought that involves a distinction betwen "seller" and "buyer" is
probably going up the wrong track. As is any that involves a distinction
between "cash" and "goods?" Yes, I suspect. So we can think of it as
barter, but digital barter, so moneychanging *is* a good model. It is
sufficient to prove that you can do anoynymous, safe, digital
money-changing. 

The full, hard,  question then is something like this:

Is there are protocol that allows moneychanging between different forms
of digital money that

1) allows complete anonymity to both partners to a transaction, and
2) provides strong defences against fraud to both parties, and
3) works well if one partner has much more to lose than the other (&
therefore for arbitrarily large amounts) and
4) works without a trusted 3rd party (broker, bank, court, police,
godfather, whatever), and
5) can be relied upon for a single transaction - in other words the
partners have no previous knowledge of each other, and
need never have a further relationship.

?

The protocol needs to be stateless between trades. (though not, of
course, within them).  Everyone comes to the table with no history and
leaves it with no requirement to return.

Several slightly weaker cases are of course trivially possible, if we
allow some pseudonymity, or assume that the transactions are small
enough that fraud will hurt neither party. 

It is trivially possible if there are repeated pseudnymous transactions,
and there is enough time for the parties to build up a reputation.

Requirement (4) need not be true if both parties are allowed to have a
pseudonymous relationship with a  3rd party, but that just gets us back
to banking, which is boring.

It is also easy if only one party is really worried about fraud.
Ordinary cash transactions for small amounts work like that already. The
shopkeeper doesn't care who I am or, really, if my cash is any good. If
I pass him a few dud coins he has lost a tiny part of his turnover.  I
do care that the goods I am buying are good though. So he has to
reassure me of his reliability not the other way round. Though they do
care if lots of people start to pass forged coins. If their turnover is
high enough they have an interest in the average quality of money, not
the quality of any one coin. The system only has to be good enough, not
perfect. 

Pseudonymous exchange can be achieved  by breaking trades down into
small increments none of which is significant enough to damage either
player. If I'm going to give you a thousand pounds for 1600 dollars we
could do it a dollar at a a time and just withdraw - but we know this
already so no point in thinking aloud along those lines 

Ken Brown