1997-05-04 - Re: Bypassing the Digicash Patents

Header Data

From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@toad.com
Message Hash: 3b52e0af81a57a832ff03cc09599fc5fd38ce7a68c8ba3ec79cee8b6ea0e75d8
Message ID: <v0302091caf91b14570c2@[139.167.130.246]>
Reply To: <199705032048.NAA22766@joseph.cs.berkeley.edu>
UTC Datetime: 1997-05-04 04:32:13 UTC
Raw Date: Sun, 4 May 1997 12:32:13 +0800

Raw message

From: Robert Hettinga <rah@shipwright.com>
Date: Sun, 4 May 1997 12:32:13 +0800
To: cypherpunks@toad.com
Subject: Re: Bypassing the Digicash Patents
In-Reply-To: <199705032048.NAA22766@joseph.cs.berkeley.edu>
Message-ID: <v0302091caf91b14570c2@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain


Someone, whose reputation is bigger than God, in the hope of sparing me
public humiliation from the error of my ways (the very paradigm of a lost
cause :-)), wrote to me offline on this topic. I'm posting it here, because
frequently people reply to me with stuff which is extremely relevant to the
argument at hand, and which should be heard in public.

The main consideration I use is that none of the information in the reply
can be used to identify the person who sent it, or mess up whatever plans
they're laying, something you can clearly see in the following...


At 4:48 pm -0400 on 5/3/97, somebody wrote:
you write:
> > I further claim that the most efficient digital bearer certificate is an
> > anonymous one.
>
> Hal's point is this. There are two types of "anonymity": one where
> the bank says "I swear I won't keep any records based on the name
> you gave me" (the benign bank), and the other where we use Chaumian
> blinding so the bank never even sees the identity information (the
> untrusted bank).

Right. Let's call the first one the Microsoft model, because I feel
especially vicious this evening, and the second one the "Real" Chaum model.

> Now, it seems to me that the "benign bank" sort of anonymity can't
> cost any more (and in fact will even cost less) than the "untrusted
> bank" Chaumian anonymity.

Not true. With Chaumian anonymity, all the underwriter does is keep a
database of spent digital bearer certificates, which they keep down by
expiring certificate issues and the keys which generate them periodically.
When someone double-spends a certificate, the underwriter has enough
information to reveal their public key, but only when someone double spends
and not before.

With the Microsoft model, the underwriter knows who's buying your
certificates, *and* the shared secret which makes the cash valid, *and*
what time the certificate was issued, *and* what your shoe sizes, and the
name of your sister's first date, and, and, and,...

Anyway, I claim that the very Chaumian inability to *ever* know who bought
the certificates you underwrite keeps you from ever *trying* to keep track
of any other data, which, of course, is inherently cheaper.

> Yet your arguments for anonymity apply
> equally to both situations.

No they don't. There's a qualitative difference between a system where you
can't ever know who some one is, but you can still trust them, and a system
where you always know who someone is and they have to trust *you*. :-). I
say that one of the additional virtues of the former system is
significantly reduced transaction costs, and finally, that that happy side
effect will eventually result in a shift away from the latter kind of
system, if it ever is useful to begin with.

By the way, an additional cost of the system, which is obviously more in
line with the privacy concerns of cypherpunks, and possibly less germaine
to the transaction cost issue we're discussing, is the cost of the risk of
breaking the confidentiality of systems like the Microsoft idea. I have a
hunch that all it takes is one big information leak, and such systems will
be dropped as a form of digital cash underwriting, but I'm going pretty far
out on a limb to make that particular assertion. Should we call this the
"Clipper effect", just to rattle peoples' chains?

> Therefore, I say your arguments, taken
> to their logical conclusion, imply that we'll end up with "benign
> bank" anonymity, rather than Chaumian "untrusted bank" anonymity.

Again, I don't think so. However, what we really need is some actual
estimates and analysis to prove it, barring the existence of any actual
transaction cost data, of course. :-). Something I'm not qualified to do,
though I bet there are people here who can get those answers.

> But "benign bank" anonymity is a very very weak form of anonymity
> indeed -- it's not what most cypherpunks (or cryptographers) mean
> when they talk about anonymous digital cash.

Amen. Only people mired in the book-entry way of looking at things think
otherwise. I believe the economics of the marketplace will soon teach them
the serious errors of their ways...

> "Benign bank" anonymity
> is the sort of thing that Cybercash or other traditional systems
> provide; "untrusted bank" security is what Digicash provides.

And, again, I assert that the paradox of all this is that the cheapest form
of commerce is a form where you don't trust anyone, or, better, trust, but
verify, everyone. That's the beauty of the blind signature algorithm, it
allows you to do all that, and not keep books, which cost money.

> So, if I understand your argument correctly, you're saying that
> we'll inevitably end up with some weak form of anonymity, but it
> will be far weaker than what most cypherpunks want.

I hope you can see by now, after I've taken another shot at explaining it
better, what I was getting at.

> That sounds more like a cause for a call to arms than a reason to
> sit around reassuring ourselves that everything will turn out fine
> without us!

Nah. I don't do calls to arms. It's much better to change the world by
making money. An especially important focus to have when you're building
transaction systems. :-).


I strongly beleive that you can easily knock three, maybe four, decimal
places off the cost of any transaction you can care to mention just by
using strong financial cryptography and anonymous digital bearer
certificates on a ubiquitous geodesic network.

That remains to be seen, however. I will say that I'm working as hard as
someone with my limited skillset can to prove that hypothesis. :-).


Cheers,
Bob Hettinga

-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
Lesley Stahl: "You mean *anyone* can set up a web site and compete
               with the New York Times?"
Andrew Kantor: "Yes."  Stahl:  "Isn't that dangerous?"
The e$ Home Page: http://www.shipwright.com/








Thread