1994-08-28 - Re: e$: e-cash underwriting

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 5c567d8cc73130e186757615f4f6a1e3e1a48b93164006d648871529fc82baac
Message ID: <199408281957.MAA02631@jobe.shell.portal.com>
Reply To: <9408271841.AA26491@ah.com>
UTC Datetime: 1994-08-28 19:58:49 UTC
Raw Date: Sun, 28 Aug 94 12:58:49 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sun, 28 Aug 94 12:58:49 PDT
To: cypherpunks@toad.com
Subject: Re: e$: e-cash underwriting
In-Reply-To: <9408271841.AA26491@ah.com>
Message-ID: <199408281957.MAA02631@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain

hughes@ah.com (Eric Hughes) writes:

>Why does everyone think that the law must immediately be invoked when
>double spending is detected?

>Double spending is an informational property of digital cash systems.
>Need we find malicious intent in a formal property?  The obvious
>moralism about the law and double spenders is inappropriate.  It
>evokes images of revenge and retribution, which are stupid, not to
>mention of negative economic value.

It was nice to finally meet Eric and other CP's at the Crypto conference.

To me, double-spending is analogous to passing bad checks.  I don't think
people will be satisfied to simply view it as a formal property, any more
than they are in the case of checks.  In either case you are getting an
explicit or implicit assurance from the payor that the instrument is
good.  Intentionally cheating would be viewed as fraud.  I think this
approach would increase the likelihood of digital cash being accepted.

>What is needed are techniques to prevent the possibility of double
>spending from taking down the system.  These might include law, and
>hence also identity, but need not.  What is the point of an anonymous
>system if identity is needed to make it stable?  The contradiction
>here is enormous.  The offline cash protocols suffer from this fatal
>design flaw, namely, anonymity for "good people" and identity for "bad
>people".  Why invoke identity at all if you can do without it?

That's a big "if".  I don't follow the proposed solution below.

In any case, discussions about the role of identity are purely
speculative.  I think what we want is a system where people are free to
use these technologies as they wish.  If one bank offers certain
advantages to people who are willing to authenticate their identity (as I
think some will), that is fine.  If a person chooses not to take
advantage of those opportunities because he doesn't want to divulge his
identity, that is fine, too.  The real question is the degree to which
adding identity authentication increases the likely range of situations
that can be covered in a privacy-protecting way, and the degree to which
it may lower costs.

>Having a database of "spent money" is the primary technique for
>prevent direct costs from being a problem.  So what is left are
>attempts to redeem multiple times the same note.  They won't actually
>get redeemed, but if there's a negligible marginal cost for trying,
>well, then, some folks will try.

>One solution is clear and direct: charge for each redemption attempt.
>In that situation, multiple attempts get rejected, and the issuer is
>recompensed for the attempt.  No morality need be invoked.

The problem is, the fraud doesn't occur (typically) when the note is
redeemed at the bank, it occurs when the note is exchanged at the
market.  Is this proposing to charge the merchant when he in good faith
turns in the cash which was given to him by the customer, and it turns
out bad?  What cruel irony!  Here he is already cheated once, and the
bank will charge him an extra fee as additional punishment?

I must be misunderstanding.  This seems not to deter double-spenders at

>There remains an issue as to the size of this redemption fee, which
>would have to be small.  In order to optimize the transaction costs of
>charging this fee, a bank might be willing to accept identity in
>escrow for the transaction and to remove the fee for good
>transactions.  Identity might be a pseudonym revealed after 10 bad
>attempts, say.  This system removes the requirement for identity and
>substitutes it for an economic optimization based on identity.

Here I am lost completely.  Whose identity is in escrow?  The person to
whom the coin is given in the first place?  But I thought we were
referring to a double-spending protocol in which users revealed their
identity to the bank.  Apparently not?  Is the idea here that the bank
doesn't know the user's identity, but some other escrow holder does, and
it gets revealed only if the user double-spends 10 times?  But that would
still be identity-based, just with different rules about when it gets
exposed.  I really don't follow this at all.

To me, there is no problem with revealing identity in certain situations
as long as it is unlinkable to my other activities..  And I will be much
more willing to lend credit or other forms of trust to pseudonyms if I
know that they are willing to pay the ultimate price of punishment to
their own very physical bodies if they cheat me.  What more assurance
could I want?  And yet, as long as all parties are honest, we have no
fear of our identities being revealed against our will.

This is no more a contradiction than is the existance of one-way functions.
Both are manifestations of control over information flow.  If this
control is possible, why not make use of it?