Fwd: (micro)payments for anonymous routing in Tor?

R.A. Hettinga rah at shipwright.com
Wed Sep 24 11:37:59 PDT 2008 

Gee, this sounds familiar. :-)

I remember talking about cash-settled routing with Vinnie Moscaritolo,  
while bouncing around in his bumper-sticker-festooned Toyota pickup  
when I did my first Apple talk in 1995 or so. It's kinda like  
Feynman's "patent" for the atomic powered bomber, one of the first  
things you bump into when you think about how small bearer  
transactions could go. No doubt the Agorics guys were talking about  
something equivalent in the "digital silk road" days; turtles all the  
way down, and so on.


Cash-settled routing is essentially a streaming cash application, just  
like streaming music, or a whole lot of other things, if you hop back  
and forth across the particle/wave phenomenon that is the world of  
internet protocols.

The simple way to deal with double spending of streaming coins is to  
assay (statistical sample) the coins in real-time, do a redeem-reissue  
on assay, and to do a redeem/reissue on all your coins after  
completion of the transaction to make sure that the coins you have  
aren't double spent.

Or not, I suppose. The risk is entirely yours, same as it ever was  
with off-line or, in the case of streaming, quasi-offline, transactions.

As an underwriter (I hate the word bank for various reasons), I would  
assay coins randomly on redemption and pay for the whole lot to save  
myself and my customers time and bandwidth.

As for the coins themselves we were looking at Shamir/Rivest's  
micromint for this the first time around, but Nicko wrote a paper for  
FC00 showing that simple rsa-signed coins are more scalable from case  
zero.

BTW, I think of "coins" as things requiring probabilistic settlement  
like this, and "notes" as things requiring individual settlement, like  
blind-signature instruments. Obviously, Moore's Law determines the  
"thermocline" ("pecunicline"? :-)) for this, the boundry layer between  
"coins" and "notes". I chose probabilistic settlement, because  
micromint, and other streaming coin applications, pretty much require  
a factory to produce the coins, just like it takes a whole factory to  
make one penny, the first being the most expensive, economies of  
scale, and all that.

Of course, Rivest/Micali's "Peppercoin" is the exception that proves  
the notes/coins decision-rule, because, while a completely book-entry  
transaction, it's probabilistically settled, Peppercoin being a  
"lottery" where you write an arbitrarily large number of biometric- 
identity checks and pay only one of them. So Pepper*coin* is really  
Pepper*check*, but, obviously, that name would probably make the VCs  
eyes glaze over, so its just as well they didn't use it.

Anyway, for TOR itself, like anonymous remailers, cash settlement,  
streaming or otherwise, is necessary, because the economics of the  
idea at the moment is entirely transfer-priced, meaning that, like  
open source -- or other advertisement-supported media :-) -- the  
product is included "free" in transactions for other things. Since  
anonymity is, shall we say, atomistic in its necessity, it's hard to  
support it with something else besides cold, hard, cash.

Cheers,
RAH

Begin forwarded message:

> From: Eugen Leitl <eugen at leitl.org>
> Date: September 24, 2008 4:43:14 AM GMT-04:00
> To: cypherpunks at al-qaeda.net
> Subject: Re: (micro)payments for anonymous routing in Tor?
>
> ----- Forwarded message from Josh Albrecht <thejash at gmail.com> -----
>
> From: Josh Albrecht <thejash at gmail.com>
> Date: Wed, 24 Sep 2008 03:44:39 -0400
> To: or-talk at freehaven.net
> Subject: Re: (micro)payments for anonymous routing in Tor?
> Reply-To: or-talk at freehaven.net
>
>> * payments turn it into a service with an expected outcome.   
>> Assumably
>> (among others) that is 1) your anonymity is maintained and 2) your  
>> payment
>> is completed successfully.  What happens _when_ something goes  
>> wrong? As of
>> now, the first thing that Tor says is "This is experimental  
>> software. Do not
>> rely on it for strong anonymity. " It would have to add, "Do not  
>> rely on
>> this to successfully route your financial transactions" and while  
>> the first
>> is a warning most can accept, the second may really scare us.
>
> This came up on IRC as well.  Someone pointed out that the paper's
> assumption of "honest but curious" banks might not be valid (ie, the
> bank might cheat).  However, there are a few counter-arguments to that
> that I see.
>
> For the S-coins, it will be immediately obvious to a relay that the
> bank is cheating, because the relay can validate whether the payment
> is good or not on its own.  For the A-coins, the answer is trickier.
> The relays can still check the validity of the payment, but the client
> could be "double-spending".  If the bank pays A-coins even in the case
> of double-spending, the bank can never cheat.  The downside is that
> anonymous clients can then cheat to get slightly more value for
> A-coins than they put in.  This is a serious problem because it would
> allow the client to pay multiple relays that they control, essentially
> duplicating their money for free.
>
> Thus, the bank must decline all payment for double-spent A-coins, or
> at least allow only one payment for any A-coin.  However, clients can
> still validate that the bank is not cheating by withdrawing and
> depositing A-coins at any time in an attempt to catch the bank
> cheating.  This is more of an economic argument--the bank has an
> incentive to maintain user trust so that it can continue to do
> business.  The value gained by cheating some users of A-coins would
> likely be less than the expected gain from NOT having to worry about
> the risk of someone demonstrating that the bank is cheating.
>
> Also, the values at stake are:  1.  very small, and 2.  greater than
> the current profit of zero for relay operators.  It's not that relay
> operators have to rely on Tor for their financial security--they
> could, with this scheme, make some modest amount to cover their costs.
> No single relay operator should ever have a significant amount of
> money in the system that could possibly be at risk.
>
>> On Wed, Sep 24, 2008 at 12:05 AM,  <tor-operator at sky-haven.net>  
>> wrote:
>> How do you pay anonymously yet have the system fairly permit "paid"  
>> traffic to
>> have higher priority?  With anonymity intact, how do you audit and  
>> enforce
>> this policy?
>>
>
> I think your first question was about how to ensure that giving
> priority to certain traffic does not introduce any new attacks against
> anonymity?  In that case, I'm not sure, but it is not at all clear to
> me that this would decrease anonymity.  Does anyone see such an
> attack?
>
> As for the second question, I think it was:  what prevents relay
> operators from choking off all unpaid traffic, in order to maximize
> profits?  As an answer to that, I'd say that not much prevents them
> from doing that.  Perhaps there are anonymity benefits to allowing
> unpaid traffic as well (since there would be more ambiguity as to the
> original source of the traffic).  There might also be ethical benefits
> to allowing unpaid traffic, ie, much the same motivation for the
> current operators of Tor relays.  Finally, if this were the default
> behavior, novice users would be unlikely to change it, and that alone
> might be enough bandwidth for unpaid users.
>
> Thanks for the thoughts!
> - Josh
>
> ----- End forwarded message -----
> -- 
> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
> ______________________________________________________________
> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list