Anonymous Transport Layer

Patrick Chkoreff patrick at fexl.com
Sun Apr 27 08:35:25 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: John Kelsey <kelsey.j at ix.netcom.com>

(Regarding my non-blinded scheme)

> Right.  You actually can get reasonable anonymity with the kind of 
> scheme
> you're proposing, assuming anonymous communications and heavy use of 
> the
> system.  When you get a coin issued, you just keep it in limbo for 
> awhile,
> and then "spend" it with yourself, iterating until your paranoia level 
> is
> satisfied.  If the system is heavily used for real stuff, and the uses 
> are
> over an anonymous communications network, there should be no way for 
> the
> bank to tell when you're transferring the coin to yourself, vs. when 
> you're
> transferring it to someone else.  ...

I have sometimes wondered if it might be possible to use non-blinded 
digital notes on top of an anonymous transport layer and thereby 
achieve the same untraceability as that provided by blinded digital 
notes.

So, I considered the possibility that a coder might be lazy and write a 
system that over normal IP would have undesirable traceability 
characteristics, and simply wave his hands and say "Ah, no problem, I'm 
letting the transport layer (Tarzan, ANON, etc.) take care of that."

If such a division of labor were possible, it would be analogous to 
using a Secure Socket Layer in an application, knowing only how to set 
up and tear down the protocol but nothing in particular about 
cryptography.

One might even assume the worst case, that the server records every bit 
of information it ever receives for all time.  The main events recorded 
would be of the form "At time T, the server received note P[i] for 
redemption and sent out note P[i+1] in return."  So there would in fact 
(worst case) be a traceable chain P[1]-> ... ->P[n].  However, there 
would be no IP address information because of the anonymous transport 
layer.

> The bank can tell that you have coin X
> today, and that 20 iterations ago, that was coin Y.  ...

Yes, I see, the P[1]->...->P[n] chain.

> But that isn't going
> to give very much information about whether the coin is still in the
> possession of the same person.  ...

Yes, but the 20 rounds of thrashing occur within a specific short time 
period, so that won't fool ANY spook worth his salt, right?

Alice deposits a gold Maple at the bank and receives P[1].  The next 
day she thrashes P[1]-> ... -> P[20] in a period of one second.  Four 
days later she spends P[20] with Bob's Kinky Sex Emporium.  Bob swaps 
P[20] for P[21].  The next day he redeems P[21] for a gold Maple 
(ignoring fees of course).

I guess the problem here is that the bank receiving and issuing gold 
Maples knows that P[1] belongs to Alice and P[21] belongs to Bob at Kinky. 
  The time stamps on the chain of swaps P[1] ...  P[20] look 
suspiciously like obscurity-thrashing, although the bank cannot be 
absolutely sure, of course.  Instead, Alice might have spent P[1] for a 
gardening book at Amazon and some kinky employee there did the 
thrashing P[2] ... P[20].

Such a scheme might provide a certain level of plausible deniability, 
but I am not sure one could capitalize on it enough to build a solid 
system.  It does sound a bit crufty compared to blinding, although the 
possibility of a more efficient implementation (storing unspent coins 
only for low disk usage and hyper-fast lookup) might compensate -- 
although there might be a cost in bandwidth, but that might be 
proportional to paranoia level and charged accordingly.

The idea of implementing a relatively unsafe digital note protocol on 
top of an anonymous transport layer is appealing, but I am not sure 
such a division of labor is possible.  Can anyone provide a bit of 
guidance on this point?  I know Google is my friend, but this is a 
pretty subtle question and just a hint will suffice.

The problem at the endpoints described above might be mitigated 
considerably if we had a world-wide network of gold kiosks providing 
bidirectional swapping of physical gold and digital notes -- a true 
e-hawala.  Alice could don a ski mask and deposit a gold Maple in 
Jasper, Georgia, and five days later Bob at Kinky could don a ski mask and 
receive a gold Maple in Helsinki.  There would be no "bank" where Alice 
or Bob would have to identify themselves.

<tangent>
There's an ideal world scenario for you -- gold kiosks, cheap 
disposable smart card note purses, and wireless network everywhere.  In 
an interesting twist, this would not in fact be a "cashless society," 
but an even more "cashful society" with one brand new feature:  the 
ability to teleport fungible gold atoms from Jasper to Helsinki in a 
fraction of a second.  The ultimate hawala, where oil-powered shipment 
of gold would only occasionally be necessary to balance out the kiosk 
inventories.  Perhaps eventually the need for giant central stores of 
gold could be nearly eliminated.  Gold would just be laying around in 
kiosks everywhere on the planet, just waiting for someone with the 
right bits (or tools :-) to pick it up.  I'm sure many of you have 
discussed such starry-eyed visions at length, but please forgive this 
newbie for indulging a bit as this cappuccino-inspired vision possesses 
him.
</tangent>

- -- Patrick
http://fexl.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPqv4x1A7g7bodUwLEQIMfQCgw3QwMINRZKzZdP+8ke6JjuLYAlUAoKBl
fMuBMYvCkXdK+kZv1PT5Ki51
=Vxog
-----END PGP SIGNATURE-----

More information about the cypherpunks-legacy mailing list