From: tcmay@localhost.netcom.com (Timothy C. May)
Date: Thu, 25 Aug 94 23:41:54 PDT
To: Hal <hfinney@shell.portal.com>
Subject: Cash, cheaters, and anonymity
Message-ID: <199408260641.XAA11326@netcom15.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



Here's a long response. But it's my only post of today, as the list was
going on and on about atom bombs, uranium sabots, and alpha particles, and
with debate about why some of us are ignoring these posts and the posts of
ranters and baiters.

This topic is more in line with my reasons for being on this list. Sorry
for  the length.

Hal Finney writes:

>One question is the ease of theft in a digital cash environment, and
>the consequences of claiming that secrets have been stolen.  This
>problem was recognized very early on in discussions of digital
>signatures.  The whole point of a signature is so that someone can be
>held to a commitment.  But an easy "out" would be to "accidentally on
>purpose" let the secret keys be stolen, then to claim that the
>signature was actually forged.  Contrariwise, a business might
>be vicitimized by actually having its secrets stolen and a forged
>signature created that committed it to an unfavorable action.

Hal is right the problem of *repudiation* or *disavowal* was recognized
early on. Alice is confronted with a digital signature, or whatever. She
says; "But I didn't sign that" or "Oh, that's my old key--it's obsolete" or
"My sysadmin must have snooped through my files," or "I guess those key
escrow guys are at it again."


APPROACHES TO REPUDIATION

**The purist approach: you *are* your key. If another biological unit
obtains your key, he or she is effectively you. Guard your key carefully.

**The modern American "excuse" approach: Hey, if you want to disavow a
contract, like, just claim your key was stolen or, like, you lost it.

I understand the reasoning behind adopting a more intermediate stance, but
I think that only the purist stance will hold water in the long run.(A hint
of this: untraceable cash means, for most transactions of interest with
digital cash, that once the crypto stuff has been handled, whether the sig
was stolen or not is moot, because the money is gone...no court can rule
that the sig was invalid and then retrieve the cash!)

[It is true that Chaum went to great lengths to develop system which
preserve anonymity for single-spending instances, but which break anonymity
and thus reveal identity for double-spending instances. I'm not sure what
market forces caused him to think about this as being so important, but it
creates many headaches. Besides being clumsy, it require physical ID, it
invokes a legal system to try to collect from "double spenders," and it
admits the extremely serious breach of privacy by enabling stings. For
example, Alice pays Bob a unit of money, then quickly Alice spends that
money before Bob can...Bob is then revealed as a "double spender," and his
identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very
broken idea. Acceptable mainly for small transactions. More on this later.]


NEGOTIATED PROTOCOLS TO REDUCE RISKS

However, just as most folks make arrangements with their bank/ATM machines
(semantic meaning #2 of "ATM") to limit cash withdrawals to, say, $200 a
day (it varies), so too can digital cash arrangements make similar
contractual deals to limit losses. Some possible plans:

* Plan A: The protocol insists on retinal scan or other biometric
authentication between the "smartcard" used as the cryptographic keying
device and the putative owner. The "Thunderball" plan. (issues: preserving
anonymity with biometric authentication, spoofing of the channel between
card and physical apparatus, theft of smartcard, etc.)

* Plan B: The protocol only allows, say, $1000 per transaction. And no more
than 3 transactions per day. Each transaction that is cleared sends a demon
message to the account owner through a separate communications channel.

(This sounds complex...the idea is to provide a signal that an account is
being accessed, allowing the account owner to put a hold on the account.
Even if he can't stop the transactions underway, or recently completed,
because of the lags that may exist in this feedback, he can limit losses.
Kind of a mix between off-line and on-line transactions....such mixes are
to be expected, with the choice up to parties, depending on costs, risks,
speed of communications, etc.)

* Plan C: Use off-line cash only for "small" transactions, such as those
now handled with physical coins and small bills. Use on-line clearing for
larger amounts, with various forms of biometric security.

This echoes how things are done today: off-line cash is what you can carry,
in bill, coin specie, etc. Larger amounts (hundreds of dollars and up) is
almost always handled on-line, via either credit cards (on-line clearing,
albeit not anonymous/untraceable) or checks, cashier's checks, etc.

(Coins and cash bills are really "on-line clearing" though, in that their
existential properties make them acceptable immediately; they are not
replicable, at least not easily, and hence can be conserved in transations.
All the usual stuff about the nature of cash money.)

Which will be used? (and there are many variants...) As usual, markets will
allow choice. Many people will choose to limit exposure with Plan B-type
transactions. Others will contract with insurance agents who cover risks by
insisting on their own protocols for added security. (I don't mean
conventional insurance agents, naturally.)


MISCELLANEOUS STUFF

>On the other hand, I would hope that people actually can learn to use
>care in safeguarding their secrets.  The pass words and PINs we use
>today may be complemented by physical checks for voice patterns, thumb
>prints, perhaps (ironically) handwriting.  Another approach would be

Most smartcards in use today support some form of local PIN entering, some
way to provide a truly memorizable extra piece of identiy. Other biometric
measures remain a hot area of research. Stroke recognition, thumbprints,
etc. In about 5 years, when I think digital cash will be ready for prime
time (pun intended), these additional mechanisms should be deployable, for
a price. (Market-driven again: those who want to pay less in insurance will
take better steps. Companies may adopt standards. Banks may enforce them.)

...
>suggestions (one here a couple of days ago) to use various kinds of
>information exchange between the authenticating device and the human
>user in order to prove authorization in such a way that even a thief
>who has snooped on past exchanges will not be able to use the device.
>This approach is sometimes called the use of "pass algorithms".

"Zero knowledge interactive proof systems" have been used for password
systems; no amount of past snooping or eavesdropping helps. (Of course, the
user still has to have physical security over his local computer, or PDA,
dongle, or secret decoder ring.) This seems like a readily-solvable problem
(and one we already accept with existing ATM machines).



THE INCREDIBLE IMPORTANCE AND ELEGANCE OF ON-LINE CLEARING

...
>Applying this to the double-spending case, I suspect that Bob Hettinga
>is more on the right track in seeing the solution in the legal system
>rather than a simple "shucks, you caught me" forfeiting of a bond
>worth triple damages.  There really should be no excuse for double

*On-line clearing* for larger amounts is, in my opinion, the Right Thing.
Networks are getting deployed widely and are speedy. ATM, SONET, ISDN, and
all the rest.

I want to elaborate on this, even though I think most of Hal's points are
made with off-line clearing in mind. I want to make the case for why
on-line clearing is the One True Digital Cash.

Conceptually, the guiding principle idea is simple: he who gets to the
train locker where the cash is stored *first* gets the cash. There can
never be "double spending," only people who get to the locker and find no
cash inside. Chaumian blinding allows the "train locker" (e.g., Credit
Suisse) to give the money to the entity making the claim without knowing
how the number correlates to previous numbers they "sold" to other
entities. Anonymity is preserved, absolutely. (Ignoring for this discussion
issues of cameras watching the cash pickup, if it ever actually gets picked
up.)

Once the "handshaking" of on-line clearing is accepted, based on the "first
to the money gets it" principle, then networks of such clearinghouses can
thrive, as each is confident about clearing. (There are some important
things needed to provide what I'll dub "closure" to the circuit. People
need to ping the system, depositing and withdrawing, to establish both
confidence and cover. A lot like remailer networks. In fact, very much like
them.)

In on-line clearing, only a number is needed to make a transfer.
Conceptually, that is. Just a number. It is up to the holder of the number
to protect it carefully, which is as it should be (for reasons of locality,
for self-responsibility, and because any other option introduces
repudiation, disavowall, and the "Twinkies made me do it" sorts of
nonsense). Once the number is transferred and reblinded, the old number no
longer has a claim on the money stored at Credit Suisse, for example. That
money is now out of the train locker and into a new one. (People always
ask, "But where is the money, really?" I see digital cash as *claims* on
accounts in existing money-holding places, typically banks. There are all
kinds of "claims"--Eric Hughes has regaled us with tales of his
explorations of the world of commericial paper. My use of the term "claim"
here is of the "You present the right number, you get access" kind. Like
the combination to a safe. The train locker idea makes this clearer, and
gets around the confusion about "digimarks" of "e$" actually _being_ any
kind of money it and of itself.)

Off-line systems may be useful for paying for movies, toll roads, etc., but
there the protocols can be set up to limit exposure to fraud. (Ontological
constraints, such as number of movie theater attendees, etc., will limit
the losses. Scams will likely still exist, but the problem seems manageable
with some work.)

And as networks get much faster, expect even off-line cash to fade. Depends
on costs, insurance rates, benefits, and of course on regulations.


>spending, even of a penny, and the penalties could be made strong
>enough to deter most people.  If a bank does not think they will be
>able to find and prosecute a person who is withdrawing off-line
>digital cash, they will probably not give any to him.  Then if the

The "first to the locker" approach causes the bank not to particularly care
about this, just as a Swiss bank will allow access to a numbered account
(or used to...please let's not have a dozen posts arguing about this, as is
so often the case on this list!) by presentation of the number, and perhaps
a key. Identity proof *may* be needed, depending on the "protocol" they and
the customer established, but it need not be. And the last thing the bank
is worried about is being able to "find and prosecute" anyone, as there is
no way they can be liable for a double spending incident.

The beauties of local clearing! (Which is what gold coins do, and paper
money if we really think we can pass it on to others.)


IS PROOF OF PHYSICAL IDENTITY NEEDED?

...
>money is double-spent, the person who withdrew it would be prima facie
>responsible, with a reasonable presumption that they did it unless
>there is significant evidence otherwise.  I don't know that this is
>how it will work out but it is one possibility (unless the uncertainty
>just scares everybody away - but I think the digital signature
>experience will get people used to the concepts and problems).

I recall some analyses of these situations a while back. I looked in my
"Crypto" Proceedings but didn't find it.

The danger of making the "person who withdrew it" a culprit if the money
has already been "spent" is clear: he is just as likely to be an innocent
victim of a setup as the guilty party. With off-line clearing, and not the
"handshaked" beauty of immediate clearing, one has to rely on
"trust"--tough with an anonymous person.

On-line clearing has the possible danger implicit in all trades that Alice
will hand over the money, Bob will verify that it has cleared into his
account (in older terms, Bob would await word that his Swiss bank account
has just been credited), and then Bob will fail to complete his end of the
bargain. If the transaction is truly anonymous, over computer lines, then
of course Bob just hangs up his modem and the connection is broken. This
situation is as old as time, and has always involved protcols in which
trust, repeat business, etc., are factors. Or escrow agents.


REAL ESCROW AND TRUE NYMS


Long before the "key escrow" of Clipper, true escrow was planned. Escrow as
in escrow agents. Or bonding agents.

Alice and Bob want to conduct a transaction. Neither trusts the other;
indeed, they are unknown to each other. In steps "Esther's Escrow Service."
She is _also utraceable_, but has established a digitally-signed presence
and a good reputation for fairness. Her business is in being an escrow
agent, like a bonding agency, not in "burning" either party. (The math of
this is interesting: as long as the profits to be gained from any small set
of transactions is less than her "reputation capital," it is in her
interest to forego the profits from burning and be honest. It is also
possible to arrange that Esther cannot profit from burning either Alice or
Bob or both of them, e.g., by suitably encrypting the escrowed stuff.)

Alice can put her part of the transaction into escrow with Esther, Bob can
do the same, and then Esther can release the items to the parties when
conditions are met, when both parties agree, when adjudication of some sort
occurs, etc. (There a dozen issues here, of course, about how disputes are
settled, about how parties satisfy themselves that Esther has the items she
says she has, etc.)


UNTRACEABLE MARKETS FOR ASSASSINATIONS

To make this brutally concrete, here's how escrow makes murder contracts
much safer than they are today to negotiate. Instead of one party being
caught in an FBI sting, as is so often the case when amateurs try to
arrange hits, they can use an escrow service to insulate themselves from:

1. From being traced, because the exchanges are handled via pseudonyms

2. From the killer taking the money and then not performing the hit,
because the escrow agent holds the money until the murder is verified
(according to some prototocol, such a newspaper report...again, an area for
more work, thankfully).

3. From being arrested when the money is picked up, as this is all done via
digital cash.

There are some ways to reduce the popularity of this Murder, Incorporated
system. (Things I've been thinking about for about 6 years, and which we
discussed on the list and on the Extropians list. I'll save this for
another time.)

My point here is to show how on-line clearing works in conjunction with an
escrow agent function.(Esther clears the cash, and can issue new cash to
Bob, who "trusts" her that if he does the job, the cash will clear, as
she's the escrow agent he's dealt with many times before.)


THE DANGER OF EVER USING PHYSICAL IDENITY VERIFICATION

>The other point I wanted to discuss was this issue of the bank
>authenticating the people who receive the cash.  This does raise the
>spectre of a big brother system where there is some way to identify
>people with 100% certainty.  Obviously this could be abused.

Danger! Danger! Danger! Any such system, that relies on physical IDs is
substantially less private that banks today in many countries, and is not
at all what I would call "digital cash."

On-line clearing makes this unnecessary.

>Without the authentication, you're not going to have off-line cash,
>IMO.  You will be stuck with on-line systems in which everyone has to
>verify everything before accepting it.  This means you pay a cost in
>communications overhead and possibly other foregone opportunities.

Agreed. But acceptable with a two-tiered system:

- off-line cash for small transactions, with smartcards, "observer"
protocols, and with built-in limits

- on-line , immediately-cleared cash for larger transactions, also with
various agreed-upon limits or requirements


RISKS


Is there a danger that people will lose the numbers that they need to
redeem money? That someone could steal the number and thus steal their
money?

Sure. There's the danger that I'll lose my bearer bonds, or forget my Swiss
bank account number, or lose my treasure map to where I buried my money (as
Alan Turing supposedly did in WW II).

People can take steps to limit risk. More secure computers. Dongles worn
around their necks. Protocols that involve biometric authentication to
their local computer or key storage PDA, etc. Limits on withdrawals per
day, etc. People can store key numbers with people they trust, perhaps
encrypted with other keys, can leave them with their lawyers, etc. All
sorts of arrangements can be made.

Where I'm not sure I agree with what Hal is saying is that _personal
identification_ is but one of these arrangements. Often used, but not
essential to the underlyng protocol. Again, the Swiss banks (maybe now the
Liechtenstein anstalts are a better example) don't require physical ID for
all accounts. (More generally, if Charles wants to create a bank in which
deposits are made and then given out to the first person who sings the
right tune, why should we care? This extreme example is useful in pointing
out that _contractual arrangements_ need not involve governmental or
societal norms about what constitutes proof of identity.)


PAPIEREN, BITTE

Hal goes on to talk about blinded credentials. A very important idea in our
permission slip-happy society, and an idea that is not getting nearly
enough attention. (Chaum's seminal "Transaction Systems to Make Big Brother
Obsolete," from Oct or Nov of 1985, in "Communications of the ACM," remains
required reading here.)

But I also take a more radical view. Ask yourself why credentials are
_ever_ needed. Maybe for driving a car, and the like, but in those cases
anonymity is not needed, as the person is in the car, etc.

Credentials for drinking age? Why? Let the parents enforce this, as the
argument goes about watching sex and violence on t.v. (If one accepts the
logic of requiring bars to enforce children's behavior, then one is on a
slippery slope toward requiring television set makers to check smartcards
of viewers, or of requiring a license to access the Internet, etc.)

In almost no cases do I see the need to carry "papers" with me. Maybe a
driver's license, like I said. In other areas, why?

This gets to a core issue: the incredible benefits of locally clearing a
transaction. Caveat emptor, buyer beware, etc. Cash on the barrelhead.

In transactions where "future performance" is needed, as in a contract to
have a house built, or to do some similar job, then of course the idea of
on-line or immediate clearing is bogus...like paying a stranger a sum of
money on his promise that he'll be back the next day to start building you
a house.

Parties to such long-term, non-locally-cleared cases may contract with an
escrow agent, as I described above. This is like the "privately-produced
law" we've discussed so many times. The essence: voluntary arrangements.

Maybe proofs of identity will be needed, or asked for, maybe not. But these
are not the essence of the deal. An interesting area.

I apologize if this essay, while long, is not quite long enough to capture
the ideas I wanted to express. To me, these are core ideas. Maybe not as
core to those of you who favor talking about depleted uranium sabots (but
what about Chobham armor and explosive armor?) or about "PGP rulz, d00d!,"
but core isseus to me.

Your smileage may vary.

--Tim May


..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."