From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 83dc2c3e0f07c26f94577034745d561434d960b92645590a1e75c19cd9647a74
Message ID: <199408260321.UAA11210@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-08-26 03:21:26 UTC
Raw Date: Thu, 25 Aug 94 20:21:26 PDT
From: Hal <hfinney@shell.portal.com>
Date: Thu, 25 Aug 94 20:21:26 PDT
To: cypherpunks@toad.com
Subject: Cash, cheaters, and anonymity
Message-ID: <199408260321.UAA11210@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
This is a response to an untitled anonymous post which raised some
good issues. My answers may be a little controversial; feel free to
disagree.
One question is the ease of theft in a digital cash environment, and
the consequences of claiming that secrets have been stolen. This
problem was recognized very early on in discussions of digital
signatures. The whole point of a signature is so that someone can be
held to a commitment. But an easy "out" would be to "accidentally on
purpose" let the secret keys be stolen, then to claim that the
signature was actually forged. Contrariwise, a business might
be vicitimized by actually having its secrets stolen and a forged
signature created that committed it to an unfavorable action.
I don't know what the best solution of these kinds of problems will
be. Probably in the next couple of years we will see some test uses
of digital signatures, and then we can see how these conflicts will be
handled by the courts. Obviously, traditional methods like
handwriting analysis which rely on physical imperfections will not be
useful. Instead the issues to be examined would include the security
methods used to guard the secrets, who might have had access to them,
what the reputations are of the parties involved, and so on. It seems
like these cases will not be easy to resolve cleanly.
On the other hand, I would hope that people actually can learn to use
care in safeguarding their secrets. The pass words and PINs we use
today may be complemented by physical checks for voice patterns, thumb
prints, perhaps (ironically) handwriting. Another approach would be
to raise people's IQ to about 1000, so they could do an unbreakable
authentication protocol in their heads :o. Failing that, there have been
suggestions (one here a couple of days ago) to use various kinds of
information exchange between the authenticating device and the human
user in order to prove authorization in such a way that even a thief
who has snooped on past exchanges will not be able to use the device.
This approach is sometimes called the use of "pass algorithms".
Applying this to the double-spending case, I suspect that Bob Hettinga
is more on the right track in seeing the solution in the legal system
rather than a simple "shucks, you caught me" forfeiting of a bond
worth triple damages. There really should be no excuse for double
spending, even of a penny, and the penalties could be made strong
enough to deter most people. If a bank does not think they will be
able to find and prosecute a person who is withdrawing off-line
digital cash, they will probably not give any to him. Then if the
money is double-spent, the person who withdrew it would be prima facie
responsible, with a reasonable presumption that they did it unless
there is significant evidence otherwise. I don't know that this is
how it will work out but it is one possibility (unless the uncertainty
just scares everybody away - but I think the digital signature
experience will get people used to the concepts and problems).
The other point I wanted to discuss was this issue of the bank
authenticating the people who receive the cash. This does raise the
spectre of a big brother system where there is some way to identify
people with 100% certainty. Obviously this could be abused.
My feeling is that there is a rather fine line we could walk in which
this potentially-oppressive technology exists, but in which it is
wielded in a way which enhances privacy and gives people the maximum
degree of control over information about themselves. By analogy,
think of a surgeon using a scalpel. This is a tool which is capable
of terrible damage, and it is only by using it with the utmost skill
that it brings about great benefits. Shunning knives altogether would
be as bad as allowing everyone to hack and slash indiscriminantly.
In a similar way, authentication technology is IMO a necessary
enabling step for uses of cryptography which will enhance privacy.
Off-line cash is one example. We have to protect the interests of all
parties involved in a transaction or else it will not occur
(voluntarily). A bank will not want to give out ecash tokens for
which it is liable unless it is confident that it has some recourse in
the case of fraud (such as double-spending). If users have to
identify themselves to the bank in an utterly non-private way, that is
only so that they can then spend the money in perfect privacy. The
authentication that exists at the withdrawal step is wiped out by the
blinding of the cash that is done before it is spent. It is a matter
of balance.
Without the authentication, you're not going to have off-line cash,
IMO. You will be stuck with on-line systems in which everyone has to
verify everything before accepting it. This means you pay a cost in
communications overhead and possibly other foregone opportunities.
Another example would be digital credentials. These can be thought of
as digital tokens, somewhat like cash tokens, which have specific,
published meanings. One might mean, "salary > $40K". Another,
"age > 18 years". Like ecash, they can be issued and then re-blinded
so they are not recognizable. Here we do not have the double-spending
problem, but there is still a need for authentication. In order for
these credentials to be trusted, the organizations which issue them
will have to validate your eligibility. You'll have to show birth
certificates, pay stubs, and all of the other kinds of paraphernalia
you do today. The thought of this may grate in the minds of those
seeking the freedom of digital anonymity. But, again, once this
authenticating step is completed, you gain the advantages of a system
where you could potentially borrow money, rent cars, and do other
things which all involve authentication today, in complete privacy.
You authenticate yourself once, and from then on the system works for
you.
So, my vision of the ideal future is neither a database society, where
everything is recorded and tracked and privacy is protected only by a
flimsy shield of laws that are widely flouted, nor a digital anarchy
where identity is meaningless and trust among transitory pseudonyms is
virtually impossible. Rather, I see a foundation of careful,
nit-picking authentication upon which is built an elaborate structure
of information flows fully under the control of the individuals
involved. By adding the option for authentication to the mix, you
actually expand the opportunities offered by digital privacy technology.
Hal Finney
Return to August 1994
Return to “Hal <hfinney@shell.portal.com>”
1994-08-26 (Thu, 25 Aug 94 20:21:26 PDT) - Cash, cheaters, and anonymity - Hal <hfinney@shell.portal.com>