From: Hal <hfinney@shell.portal.com>
Date: Wed, 13 Sep 95 14:22:36 PDT
To: cypherpunks@toad.com
Subject: Digital Cash on sci.crypt
Message-ID: <199509132121.OAA25994@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


There has been some discussion on sci.crypt of digital cash and its
facilitation of kidnapping, extortion, etc.  Here is a posting I made
when mentions an on-line paper on the topic.  I had met the author,
Markus Jakobsson, at Crypto 95, but I only had a chance to check out his
web site yesterday.


awc@slcawc.aug.ipp-garching.mpg.de (Arthur Carlson TOK ) writes:

>[In response to a discussion of whether digital cash could be used to
>provide anonymous collection of ransom money]

>Is there really no technical fix for this? To enable the prevention of
>double spending in off-line systems, the ID of the withdrawer is coded
>into the coins in a way that is verified by the bank. If the victim's
>relatives can undo enough of the code to satisfy the bank, why can't
>they undo the rest to detect when the coins are spent? Alternatively,
>why can't the bank put an identifier on the coins (in a way that isn't
>destroyed by the unblinding) that amounts to a message encoded in the
>public key of the withdrawer? Then the withdrawer can make the
>destination of the ransom money visible by revealing his private key
>(after the victim has been released, of course). (He also reveals
>every dime he spent in the last year and all his kinky love letters,
>but, hey, we're trying to catch a kidnapper here.)

There has been considerable discussion of this problem in the
literature recently.  A paper I found yesterday on the net is by Markus
Jakobsson and Moti Yung: Revokable and Versatile Electronic Money, at
<URL:http://www-cse.ucsd.edu/users/markus/revoke.ps> (postscript
format).  It has references to other work as well.

The specific attack I discussed earlier applies to the current DigiCash
scheme (or at least how it is assumed to work).  Offline cash systems
would be more complicated.  The references in the paper mentioned above
describe how these attacks would work on such systems and some ways of
avoiding them.

However there is a more powerful attack, which the Jakobsson paper
addresses, in which the bank as a whole is coerced.  Maybe terrorists
threaten to blow up the World Trade Center unless Citibank engages in a
specific protocol which will leave the terrorists with millions of
dollars in fully blinded electronic cash.  Even if the normal withdrawal
protocol has signatures, etc. which would prevent this, Jakobsson shows
that there is a corrupted protocol which if the bank is forced to follow
it will leave the criminals with valid but untraceable electronic cash.

The solution in the paper is to make it so that none of the ecash
issued by the bank is untraceable.  Under normal use it is anonymous,
but if necessary the authorities can break the anonymity.  This is
sometimes called "Clipper cash" after the U.S. Clipper chip proposal
which had similar privacy properties.

With Jakobsson/Yung's approach even the more powerful attack can be
defeated because the cash is traceable, and no amount of coercion will
allow the attacker to create valid but untraceable cash.

While these approaches are technically interesting, the political
implications are more ominous.  While Jakobsson labels the entity who has
the power to break the anonymity an "ombudsman", implying that he defends
the interests of the cash holder, he could equally well be called a
"policeman" because he is the one who catches the criminals.  It is all a
matter of how you look at it.

The question is whether these various threats of kidnapping, blackmail,
extortion, etc. are good enough reasons to go to a cash system where
privacy is protected only at the sufferance of government agencies.
There are plenty of precedents for governments misusing supposedly-
private information, such as the use of phone records to track down
those who resisted the German regime during World War II.  One of the
attractive aspects of electronic cash has been its immunity to this form
of governmental coercion.  The overwhelmingly negative response to the
Clipper chip proposal (other than in the cryptographic and law
enforcement communities) may apply to Clipper cash as well.

A related issue is the possible competition of rival cash systems.  As
with Clipper, where it would apparently be necessary to forbid the use of
alternatives, so with Clipper cash it would seem that people would prefer
true anonymity over conditional protection, even if you call the cash
tracer an "ombudsman".  So there would seem to be a need for governments
to criminalize the use of fully anonymous electronic cash in order to
force people to use the ones which the government could track.  Whether
this will even be possible in an increasingly global financial system
remains to be seen.

Hal Finney
hfinney@shell.portal.com