From: eric@remailer.net (Eric Hughes)
To: cypherpunks@toad.com
Message Hash: b738d0afe718aa8196a40186cd81385b0efa3889d9d8a7478d1c0a82a76749a7
Message ID: <199501291709.JAA29626@largo.remailer.net>
Reply To: <ab5087cb03021004c425@DialupEudora>
UTC Datetime: 1995-01-29 17:10:23 UTC
Raw Date: Sun, 29 Jan 95 09:10:23 PST
From: eric@remailer.net (Eric Hughes)
Date: Sun, 29 Jan 95 09:10:23 PST
To: cypherpunks@toad.com
Subject: Data Bank
In-Reply-To: <ab5087cb03021004c425@DialupEudora>
Message-ID: <199501291709.JAA29626@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain
From: norm@netcom.com (Norman Hardy)
The hat check specifies the secure hash of the data, the
penalty to be paid upon failure to produce the data, and the cost of
redeeming the data.
This sentence contains the single best idea in the whole proposal,
which is to specify liquidated damages in the retrieval note. (Most
of you will be saying, What?)
One of the largest costs of any conflict resolution is deciding, once
the existence of damage has been agreed upon, exactly what the scope
and worth of that damage was. "Liquidated damages" are a term of art
referring to a pre-agreed upon worth of the damage in question. One
most often sees them in construction contracts, where the contractor
will agree to pay a fixed amount per day for each day late. Rather
than bickering over how much a delay is worth, the two parties agree
in advance to value each day of delay at a given amount. This kind of
agreement is cheaper _for both parties_ than going to court.
In the data bank case, the liquidated damages are the amount to be
paid upon failure to produce data. In this case, there's no need even
to call it a penalty. The data bank agrees to produce either data or
a fixed amount of money. They get to choose, and it will almost
always be cheaper to remit data rather than money.
The hat check is signed blindly by the bank and is a
bearer instrument.
There's no need to have it signed blind. A blind signature is useful
when two parties have some persistent relationship with the
intermediary; when they don't have identity, there's no need for
blinding. Take, for example, a money bank. Two account holders who
wish to transact also wish to keep that transaction secret; in order
to do so, they use a blind-signed note, which prevents the linkage
from being determined by the bank. The reason that the blind
signature is necessary is that the two parties have accounts with the
bank, that is, they are known to it in advance. These two wish not to
create more information at the bank, that is, more information than is
already known.
On the other hand, this model of a data bank does not have account
holders. The relationship between this data bank and its customers is
embodied in the retrieval notes ("hat checks"). Furthermore, if two
parties wish to move data through the data bank, the storage and the
retrieval transactions can be trivially linked because they are about
the _same_ piece of data. The hash of the stored data is the same as
the hash of the retrieved data. Because data is not fungible -- one
block of data is not like another -- the parties who use this data
bank as a intermediary of transmission must remain anonymous to the
data bank if they are to remain unlinked.
A blind signature will not alleviate the need to remain anonymous to
this data bank. Suppose (somehow) the data bank was able to sign
blind the right sort of retrieval note. So fine, the retrieval note
doesn't reveal the linkage directly. But the retrieval note must
contain the hash of the data being retrieved. The hash can't change;
it's the access key. So the unchanging part of the note is what gives
the link away. We therefore conclude that there's no need for a blind
signature here at all.
Cancel a hat check: A holder of a hat check may sell it back to the bank at
a negotiated price thus releasing the bank from the threat of paying a
penalty in the future.
This cancellation can't be done well. Remember that the parties are
remaining anonymous to the data bank. In order to release the data
bank of an obligation, some party would have to make some signed
statement releasing the data bank from the obligation. But making a
signature reveals identity, perforce.
Furthermore the retrieval note is a bearer instrument, but it's a
_digital_ bearer instrument, which means you can't simply give the
note back to the data bank. There's no piece of paper to return.
Once the note is out there, it's out there forever. There can be lots
and lots of bearers. Which one of them gets to release the data bank
of its obligation?
The hat check may specify expiration dates, cancellation terms etc.
The retrieval note very well should specify an expiration date, since
otherwise the data bank has specified an obligation in perpetuity. A
perpetual obligation is much less stable than a fixed-time one. The
value to the data bank of disappearance grows larger as the cost of
storing the data increases. No new external revenue is coming in (by
definition -- otherwise you've got a renewable agreement, which is
different) and all you've got is costs. So there becomes little
reason not to simply abscond with the assets and deny any outstanding
obligations.
A customer, therefore, would be wise not to deal with a data bank
which signed perpetual obligations. If a customer wants indefinitely
long storage, the best way to do this is with a set of interlocking
obligations with mutually ignorant parties.
The bank is explicitly permitted to disseminate the data and may
well do so to lay-off risks. In this sense a data bank is like in
insurance company that spreads and shares risks. A hat check may be
viewed as a life insurance policy for the data.
This is exactly why liquidated damages are such a good idea. By
making explicit the cost of data loss, a data bank can much more
accurately calculate it's risks and costs. Indeed, the ability to lay
off risk of loss is what can create a stable economy of data storage.
There are lots of extraneous elements in the proposal that I've not
addressed. I wish to highlight what is valuable and not to dwell on
what is not.
Eric
Return to January 1995
Return to “norm@netcom.com (Norman Hardy)”