The Crypto Winter

[Adam Shostack]

On Mon, Nov 19, 2001 at 11:46:45AM -0800, Tim May wrote:
| On Monday, November 19, 2001, at 10:29 AM, Adam Shostack wrote:
| > | 6. The failure to get true digital money. Call it what you like,
| > | "digital cash" or "ecash" or even one of Hettinga's pet names, but the
| > | fact is that for both political and technical reasons we don't have
| > | digital cash. This has ripple effects for nearly all of the constructs
| > [...]
| > | This failure to get workable untraceable digital cash (true 2-way
| > | untraceable, not the bastardized, banker-friendly, government-friendly
| > | one-way untraceable form) is the _deep_ reason things are stagnating.
| >
| > Sad as it makes me, I don't know of any system which allows 2-way
| > untracability and fraud prevention.  Can you point me to one?  With
| > trustworthy reputation systems, you might be able to get away from
| > this problem.  I don't know of any reputation system that I'd trust
| > for a multi-hundred dollar transaction today.
| 
| 
| Doesn't the Barnes/Goldberg "moneychanging" protocol effectively 
| symmetrize the untraceability?

Yes.  I think there are reasonably simple, and unblockable ways to make 2-way
untracable any "open" ecash system, where, like cash, everyone is a
merchant.  But not that I said untracability and fraud prevention, and 
its really the latter half that I think is hard to solve.

| There are issues of one party receiving part or all of the items being 
| transferred and then burning the other party. And if the items, whether 
| ecash or software or whatever, require later authorization/turn on to 
| complete the transaction, there are further burning opportunities. (Note 
| that this is not a problem unique to digital cash. There are always 
| prospects for a merchant taking the money and then saying "Bye," or "I 
| already gave you the stuff." Or delivering defective products. This is a 
| kind of "handover deadlock" which, nonetheless, has not halted commerce 
| of various kinds. Even at flea markets, where the sellers and buyers are 
| largely anonymous. I realize that digital commerce systems have higher 
| requirements, for the same (basic ontology of the world) reasons that 
| security flaws in digital systems may be exploited far more rapidly and 
| devastatingly than, for example, a security flaw at my house.)

This is the risk; we disagree on the solution.  Buyers and sellers at
flea markets are not untracable or unlinkable in the sense that is
possible with a MIX.  If I give you money at a flea market, I can
stand there and yell and scream if you then don't give me the goods.
Its hard to abandon your table of stuff and flee if you don't want to
settle.  Thats not the case with a bi-directional, fully anonymous
market.

| My _intuition_ is that an ecology of agents each exchanging digital 
| money, even if the system in only uni-directionally untraceable, with 
| "anyone a mint," goes a long way toward solving the problem. Squares the 
| circle, so to speak. Throw in escrow agents and intermediate holders, 
| bonded with nyms, and I see no particular reason why two-way 
| untraceability is not feasible.

I'm very fond of market solutions for problems.  When dealing with
money, the fundamental things that you can trade are liquidity and
risk.  Banks loan money and accept a risk of non-payment.  They set
their interest rates such that, having spent time evaluating the risk,
they expect to make money.  (Dan Geer wrote a nice essay on this
subject for a talk at DCSB in November 98).  Banks use a multitude of
methods to control and manage risks, and at the end of most of those
methods is that, with sufficient energy, you can track down a person
or legal entity to get a refund of your payments.  Thats not generally
how they work; usually they try up front to ensure that the inbound
money is good, via tools like certified transfers and letters of
introduction and credit, etc.  (Frank Abagnale exploited this, and
tells his story in the enjoyable and worthwhile "Catch me if you
can.")  Over time, or with collateral, a bank will loan you money.
Some will loan you money sight unseen, based on a risk calculation.

But back to ecash.  Who will assume risk for an anonymous merchant?
(No one needs to assume risk on the withdrawl; in all systems, you
withdraw from an account, and in the good systems, blind the coins
so the bank doesn't know what coins came from what account.  The bank
can decide if its going to let you get valid coins.)  The risk is not
that the merchant is getting bad money; thats controllable; the risk
is that the merchant is not delivering the goods.  Given the merchants 
ability to completely disappear, who can sensibly offer a risk
guarantee?  There are ways that someone might be able to offer a
guarantee; for example, require that the merchant post a bond.
However, that doesn't work; complete anonymity incurs delays and
bandwidth costs, and it will be possible to scale an attack such that
the merchant walks off with more than the value of the bond.

Now, the people who understand this best are the ones that Chaum
chased and Hettinga just spent so much time with.  They get that they
want to be able to manage risk; its what they do, and they can't do
that with two-way untracable money.

So, does that means it is not possible to have anonymous merchants?
Well, that depends what you mean by anonymous.  If you mean the sort
of complete anonymity that Chaum showed was possible, I don't think
that it can be deployed.  If you mean that your merchant takes his
cash through traditional privacy measures like a private bank on
Vanuatu, then sure.  However, thats not what I think you were asking
for.

How different are these?  In normal practice, I don't think they're
substantially different.  There's a different level of trust to be
placed in laws and tellers, and that makes many people uncomfortable
as we see those laws bend and break.  However, it makes others, the
bankers, very comfortable, that they have a risk management strategy
that they can construct.  They can chase the company, its bank, or the 
beneficial owners in various combinations in the event of fraud.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume