1995-09-22 - e$: Non-Repudiation

Header Data

From: rah@shipwright.com (Robert Hettinga)
To: cypherpunks@toad.com
Message Hash: 087c4460ad0707e0249b0e157842f39b52e1363b42f72ebc5c7a3a76f89abda3
Message ID: <v02120d00ac8339d1a3bb@[]>
Reply To: N/A
UTC Datetime: 1995-09-22 13:23:41 UTC
Raw Date: Fri, 22 Sep 95 06:23:41 PDT

Raw message

From: rah@shipwright.com (Robert Hettinga)
Date: Fri, 22 Sep 95 06:23:41 PDT
To: cypherpunks@toad.com
Subject: e$: Non-Repudiation
Message-ID: <v02120d00ac8339d1a3bb@[]>
MIME-Version: 1.0
Content-Type: text/plain

Dr. May said:

>"ontology" of digital money, the instruments and forms it can take, are
>_impoverished_ compared to the real world.

Ah... Someone's playing my song...

Sorry I took so long, but I wanted to give this excellent post some serious
attention, which is hard to come by when you're a person like me (praise
the lord and pass the Ritalin ;-) ).

>In my eight years of following digital cash work, I've been struck with how
>little _economics_ enters the fray.

I think you're right, Tim.  More and more people are finally realizing that
digital commerce *is* cryptography: cryptography as it's applied to
economics on a network of microprocessors.  After all, Netscape plans to
make its money on servers, most important, its commerce servers, the
servers that require the most cryptography.

A major leader on this front, to my mind -- that is, someone who has been
barking on the end of his chain ;-) the longest and loudest about all this,
and who has gone out and *learned* how the clearing of transactions happens
in the capital markets and elsewhere -- is Eric Hughes. Eric, who, along
with Tim May, founded this group to begin with, who has worked with David
Chaum, and who designed and built the first anonymous remailers.  One of
the reasons we don't see much of Eric around here these days is because
he's out there putting some rubber to the road in his consulting business,
where he's focusing on the very issue of cryptography and its applications
to digital commerce, and I wish him well.

That is *not* to slight others in this group who are also thinking about
this stuff. Not at all. In addition, most of us are looking at other issues
in cryptography, like remailers, like keeping the state out of our face,
like pithing SSL, and, frankly, most of the rest of us are too busy making
a living to do anything but lurk here.  Cryptography is huge, and digital
commerce is a small conceptual subset of the whole field, no matter how
important some of us think it is.

Nonetheless, the fact that both of the founders of this group are focusing
on cryptographic financial objects and/or their network infrastructure
speaks volumes its importance anyway.

Having laid down that as covering fire ;-), let's talk about creating an
ecosystem of autonomous financial objects on public networks, and why I
think that Tim's post is particularly important.

The reason we have the multiplicity of financial instruments out there to
begin with is because there is money in creating them.  But the reason
there's money in it is because of the fall of the price of networked
computer-based communication.  The market they're traded in exists in
computers.  The decisions made to buy and sell them are at least
facilitated by computers. The clearing and settlement of these instruments
are done on computers.  However, these systems are all centralized, closed,
private systems.  For that reason, the very accelleration of processing
cost-effectiveness which created them is going to sweep them away someday.

The bleeding edge of all this is the so-called 'synthetic' security,
something which exists as a software manifestation of the most recent
financial theory, sometimes only experimental and a few hours old,
sometimes sold to an investment bank's clients just like any other
security, secondary markets and all. A combination of purchases and short
sales of put and call options on a particular bond, which behaves like the
bond in price, for example, without having to hold the bond itself. This is
usually done because the liquidity or the transaction cost of holding these
instruments is lower than that of the bond.  In addition, since unwinding
of the synthetic security should yield the price of the bond after
transaction costs, any discrepancies between the two yields an opportunity
for arbitrage.

Of course, in the early days, all of 10 years ago, theory held somewhat
more promise than reality. The great "portfolio insurance" fiasco of the
early 80's arose from the fact that the options trades which were supposed
to offset the fall of the price of a security in this fashion turned out to
be not very liquid after all. When the time came to unwind these positions
in a hurry, they got stuck. That's not as much of a problem these days, as
evidenced by the proliferation of increasingly sophisticated securities
based on the same idea, which trade and settle just fine,

Note that we're talking about book-entry entities here.  That is, these
modern securities are creatures of an environment where software
"applications" reside on a particular computer on a particular local or
private network, to manipulate centralized accounting entries on that
computer or elsewhere, in order to reflect the expected or traded value of
a security. Things that live "on" a computer. It's controlled completely
from the outside, with the exception of the behavior of the market. Not
"in" it, or "in" the network the computer's hooked into.

Notice how different all that is from a digital certificate like Chaumian
digital cash. When you get a digital certificate, you receive it through a
cryptographic protocol which ensures that it is what it says it is.  If the
certificate is traded on-line, then the certificate's issuer vouches for it
right then and there. If it is traded off-line (someday, I hope...) the
certificate speaks for itself, just like a dollar bill's supposed to.  As
such, it can reside anywhere, not as a book-entry "on" a central computer
somewhere, but "in" the network.

Notice also we are backing down a level of abstraction from the status quo.
A certificate is what it says it is, it is not book-entry, which is a
pointer to something which is what it says it is.

That's the paradox of modern book entry systems. A book entry used to just
"point" to a physical certificate, which in turn points to a cash-flow or a
series of cash-flows of some kind. Of course, the term "book entry" is
almost exclusively used to describe clearing capital market trades without
the physical exchange of certificates for other pieces of paper (receipts,
checks, signature guarantees, etc.). The institutional ideal in this
environment is a clearing-house wire clearing the trade in exchange for a
bank wire transfer settling the trade. The book entry becomes the primary
abstraction, not any certificate it is supposed to represent.

The problem with book entries, of course, is the problem with any database.
You have to manipulate that database, and to do that, you have to get
access, and to do that you need permission... you get the point.  In a
capital market, that costs money, and it's costing more and more as a
percentage of the revenue derived from the transaction, because to get
access, you need human permission and intervention. If a human isn't
supervising things, people take advantage of their access. Mr. Leeson of
Barings was a classic case in point. Meanwhile, Moore's law keeps lowering
the cost of the rest of the production cycle.

Another problem, closer to the heart of this list, is that of anonymity.
The ultimate authority to modify that particular line item or database
field derives from the "owner" of that entry, since it is usually modified
by someone else, "a chain of custody" is needed: audit trails, and of
course, True Names are necessary somewhere, even with numbered accounts.
The primary point for inventing double-entry bookeeping was so owners could
control accountants, after all.

When electronic book entries started replacing paper ones, the resulting
economies of scale caused great centralization to occur. As I've said here
before, lines were cheaper than nodes, and things got bigger and bigger.
The advent of the microprocessor has been continually eating away at these
large control hierarchies, and making them harder and harder to maintain.
Things are getting out of control again.

In an out of control environment, like that found on public uncontrolled
networks like the internet, software has to be autonomous. A certificate,
like a piece of digital cash, is an autonomous entity. As we said before,
it is what it says it is. Because of a cryptographic protocol, you trust
the thing because of the way it behaves, not because you trust the people
who gave you access to it.

Now, Tim is talking about another type of autonomous entity, an agent,
basically, a "friendly" virus. A piece of code which is launched or
launches itself on one machine, crosses a network, runs itself on another
machine, and returns with a result. Our current concept of software agents
implies that there's something on another machine needs to be "got",
usually a database requiring access and permissions, which is why people
who manage centralized repositories of information are nervous about them,
just like microcomputers made their mainframe predecessors nervous.

On the other hand, it's easy to see a scenario where two agents arrange to
meet somewhere on a *public* network, in the presence of another
"impartial" agent to exchange certificates, trading, settling and clearing
all in one shot. Unsupervised. Out of control. Because the agents are
engaging in a cryptographic process which "breaks" if the entities behave
improperly, fraud is supposed to be prevented.

Which brings me to something which goes right to the heart of one of our
most cherished ideas here on cypherpunks, the idea of crypto-anarchy: with
the right cryptography, agreements become uninforceable because perfect
anonymity disconnects the "pointers" between digital and physical identity.
Crypto-anarchy means that states don't know who to force to do what.
Technology does this, it's reality, it's not optional, so we better get
used to it. The catch to all of this is a curious conceptual double
negative called non-repudiation.

I had trouble remembering the name for a while, I kept wanting to say
"plausible deniability", in the spirit of Admiral Poindexter. But I've had
to remember the real name, because the idea's so damned important.

Right now, the canon of commercial law for the entire free world (just so I
can't be accused of quibbling here :-) ) is completely based on the concept
of non-repudiation, that is, you can't repudiate an agreement, or a trade,
or you or you face legal sanction. Force, in other words. Ultimately, the
state can send you to jail, or worse.

About a year ago, when www-buyinfo had active discussion on it, (and had
not yet been turned into cyphe$rpunks by my reflexive redirection there of
all the e$ cheezy-bits from cypherpunks ;-), ) I got into an interesting
discussion there about non-repudiation and I didn't even know I was
involved in one. We were arguing about a familiar dichotomy in the concept
of digital cash, the difference between on-line and off-line protocols.

I was arguing that on-line cash was better because it was a more
"peer-to-peer" proposition than an online system, which required access to
a network connection, and high-bandwidth processing at the certificate
issuer so the issuer could participate in *every* *single* *cash*
*settlement*.  That invasive participation struck me as antithetical to the
whole concept of a hyper-distributed geodesic economy that I thought that
digital commerce was going to become. The technology which made it possible
for anyone, anywhere, to sell anything digitable -- music, movies,
information, teleoperator control sequences, professional services, and
financial instruments -- to anyone else, while using the cheapest possible
transaction protocol, that is, cash, a protocol which immediately and
finally clears and settles a transaction,  will win out in the end.

So, I was finding myself twisting in the wind about all of this, trying to
figure out how offline cash was going to have to work if double-spending
was possible, how could be kept to managable levels. I found myself saying
things like (forgive me), "Well, if they double-spend, put 'em in the
airlo- er, throw 'em in jail!". In other words, we have the key of the
double spender, even if she's anonymous, so we could use snitches,
subpoenas of bank records, and plain old detective work, to send her to
jail should she repudiate the agreement to not double-spend.

It's hard to see how that would happen in a perfect world with perfect
anonymity, much less in a world where nation-states couldn't collect income
to pay for judges, courts, and LEAs. Nick Szabo was gleefully slapping me
around the head and shoulders about this, and I retired from the field. So,
no matter how much the idea refuses to leave my thick Frisian head, I'll
leave that big, red, dog ("Hey, baby...") sleeping on the front porch for
the time being. This without even *touching* the other problem with digital
cash in general, Nathaniel Borenstein's favorite anti-digital-cash 2-by-4
-- which threatens *all* digital cash systems on- or off- line -- the
prospect of someone *inside* a certificate issuer stealing the private key
for an entire issue, and printing all the money she wants. To that I say,
use multiple issues, and distribute keys, but I see that big red dog's
waking up, so we'll move on...

So, you can see we're talking about the alleged inability of cryptography
to deal with the repudiation of digital cash trades. It cannot currently
keep transactions either the way cypherpunks want, utterly anonymous, and
the way I want them, off-line.

In fact, at the moment, I'm very close to holding the strong form of this
argument, that is, the concept of non-repudiation is the *only* reason
we're being forced into true-name trades right now. It's not the long arm
of the law, it's the market, which makes sense. If it was just a legal
obstacle, and really contrary to market forces, it should have collapsed
under a barrage regulatory arbitrage attempts. No threat of legal force
would have prevented people from trying to make money issuing digital cash.
The War on Some Drugs is a good example of this.

If we could get digital cash trades, or trades of any kind of financial
instrument for that matter, to trade on public networks without the ability
to repudiate them, it probably won't matter whether they're illegal, which
is interesting, to say the least, but it's no different from what happens
with paper certificates.

Now, as usual, all this is no brilliant insight on my part. A few days ago,
I didn't know what "non-repudiation" meant.

On Wednesday, I had a very interesting over-coffee conversation with Yet
Another Professional Who Wants To Remain Anonymous. I must be a magnet to
these people for some reason, at least until they figure out I'm not *that*
useful. Or maybe because it's because I need so much help. Anyway, people
who were on cypherpunks last summer remember my previous anonymous legal
informant, the esteemed councellor Vinnie "The Pro" Bono, not to be
confused with his second cousin, the Honorable Sonny. "Vinnie" wanted to
remain anonymous because he was afraid of being deluged with requests for
free legal advice, among other things. I still won't tell you who he was,
but he has since "come out", and, of course, we *aren't* choking his POP
server with requests to get our various relations out of the slammer, or
anything else for that matter, even though he talks freely here under his
True Name.

I expect my new friend will figure this out soon enough. The other reason
he gave is that he's so damn busy he doesn't have time to do much but lurk.

Unfortunately, this guy lurks not here, but on www-buyinfo, having signed
on to cypherpunks and deciding *not* to drink from a firehose, thank you
very much, and since I've been spamming it lately with the aforementioned
cypherpunks e$ cheezy bits, he seems to prefer it there. I have to admit
myself that as much as *I* like it here, it is an acquired taste...

Now, our friend Vinnie has very some serious credentials, but this new guy
is just plain scary because he's so focused on the commercial law of EDI
and electronic commerce. This hypercredentialed gentleman shows up on the
program committee of various "suit" conferences on electronic commerce,
sponsored by various international legal entities and TLAs, and seems to be
up to his elbows in the Current Fantasy according to the Powers that Be, in
particular, its legal armature: legal sanction, non-repudiation, True
Names, and all.

Which leads me to *his* moniker. I thought I was going to be civil about
this, and just refer to him in the third person singular, but I had this
amazing brainstorm. Remember the comedian "Professor" Edwin Corey, who died
recently? His schtick was a variant on the nutty professor, obfiscatory
language, lab coat, Converse high-tops and all, and he called himself the
"The World's Foremost Authority". Didn't say on what, which was the point.
As a philosophy major at Mizzou who really loved his informal fallacies,
one of which was the Appeal to Authority, this particular example always
made me laugh. So, I've dubbed this particular informant "Edwin Corey", or
"Mr. Corey" in true Oxfordian fashion, not to be at all uncharitable, but
because, in truth, this guy is probably the world's foremost authority on
this stuff, if anyone is...

He's going to give me pointers to some of this proposed "legal armature"
from time to time, the first of which is a report by one Michael Baum
entitled, deep breath, "Federal Certification Authority Liability and
Policy: Law and Policy of Certificate-Based Public Key and Digital
Signatures".  This 500+ page monster can be obtained from, who else, The
Feds, in particular, another big breath, the United States Department of
Commerce, Technology Administration, National Technical Information
Service, Springfield, VA, 22161; (703) 487-4650. The cost is $61, plus $6
for shipping and handling, plus $2 for orders sent outside the U.S., Canada
or Mexico, plus rush charges if you call 1-800-553-NTIS, and if you *don't*
jump up and down three times *before* you write the check or read them your
credit card over the phone, the trade will be repudiated. ;-).

Oh. It says something here about being able to get it through a web-site
called FedWorld, http://www.fedworld.gov .

So, it's very important to work on financial objects and agents.  However,
I should really try to concentrate on the issue of non-repudiation, because
it is  a necessary, and maybe (strong form) necessary and sufficient,
criteria for the development of digital commerce on public networks.

Bob Hettinga

Robert Hettinga (rah@shipwright.com)
Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131
USA (617) 323-7923
"Reality is not optional." --Thomas Sowell
>>>>Phree Phil: Email: zldf@clark.net  http://www.netresponse.com/zldf <<<<<