From: KALLISTE@delphi.com
Date: Thu, 27 Feb 1997 22:27:45 -0800 (PST)
To: cypherpunks@toad.com
Subject: Clipper Chip Banking
Message-ID: <01IFXJQE7DR69AU48I@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


         Clipper Chip Banking

          by J. Orlin Grabbe

      Sandia National Laboratories have
created the digital cash equivalent  of
the   Clipper   chip:   an  "anonymous"
digital  cash  system that  would  give
participants privacy from all  viewers,
except for the government agencies that
would  control the secret keys required
for backdoor access.

      Just  as  the "Clipper"  proposal
(the Escrowed Encryption Standard) is a
system of encrypted communication  with
a Big Brother peephole, so is Sandia e-
cash  a  system of digital cash with  a
Big  Brother peephole.  It was designed
that way.

       Why  is  Sandia  interested   in
digital cash systems?  Well, Sandia  is
responsible    for   all    non-nuclear
components  of  nuclear  weapons.   The
security  of  nuclear  weapons  depends
partly   on   cryptology.   The   code-
breaking   National   Security   Agency
(NSA), for example, is responsible  for
the   communication  security  of   the
Minuteman missile, as well as the codes
by  which  the President must  identify
himself to authorize a nuclear strike.

      The  use  of nuclear  weapons  is
normally  based  on a  trustee  system:
two  or  more  people are necessary  to
give  the complete authorization  code.
The NSA used this idea as the basis for
the   Clipper  chip:   two   designated
trustee   agents   would   each    have
knowledge of one-half the chip-specific
unique  key  by  which  to  decode  the
session  key that encoded a  particular
communication passing through the chip.
The   Clipper   chip   was   originally
proposed  for incorporation into  every
digital communication device: computer,
fax,  and cable TV.

      The sales aspect of Clipper was a
new  encryption algorithm based on  80-
bit  encryption  keys.   Financial  and
other  institutions had begun to  worry
about   the   security  of   the   Data
Encryption Standard (DES) which uses 56-
bit keys.  An 80-bit key space would be
2^24  times  as large as  the  DES  key
space.   The  catch was that acceptance
of  the  new  algorithm  would  involve
acceptance of the NSA backdoor.  At the
present  time,  the financial  industry
has  said,  "No,  thank  you,"  and  is
focusing on triple-DES, which  has  the
security    equivalent    of    112-bit
encryption keys, and no backdoor.

       Sandia   e-cash  is   a   simple
extension of the trustee notion. Sandia
e-cash  was  announced  as  "the  first
electronic     cash     system     that
incorporates   trustee-based   tracing,
while    provably    protecting    user
anonymity".  The trustees in this  case
are  key-escrow agents, and  a  minimal
subset of them (say three out of  five)
would   be   able   to  combine   their
knowledge   to  trace  an  individual's
electronic transactions.  The fact that
several  agents would need  to  act  in
concert   "protects  users   from   the
possibility  that one or  two  trustees
might  be  corrupt".  (In other  words,
depending  on  the  level  of  official
corruption, the system would either  be
somewhat secure, or totally insecure.)

      Anonymity or privacy in financial
transactions   generally    means    an
inability  to determine an individual's
spending  patterns. Anonymity  requires
first and foremost protection from  the
prying eyes of the bank.

     If the bank knows what is going on
in  your  account, then potentially  so
can  anyone  else: the records  can  be
seized, or surreptitiously accessed  by
computer,  or  a bank employee  can  be
bribed  to  make  them available.   (In
this respect, it is useful to note that
the  system of Swiss numbered  accounts
was  created to protect bank  customers
from  bank  employees. Bank  employees,
observing what occurred in a customer's
account,  could  possibly  subject  the
customer to blackmail.)

        Anonymity   involves    several
aspects, including "unlinkability"  and
"untraceability".

       "Unlinkability"  refers  to  the
inability  of  a  bank (even  colluding
with  merchants) to determine that  two
payments  were made by the  same  user.
To   understand  this,   consider   the
opposite  case:  your monthly  American
Express  or credit card bill.   Such  a
statement    contains    a    set    of
transactions which are all linked by  a
common  element--your  AMEX  or  credit
card  account  number.   Because  these
payments  are  linked, they  present  a
limited  picture  (a  subset)  of  your
behavior,    movements,    and    habit
patterns.  Your  private  behavior   is
potentially     public     information.
Unlinkability is therefore an aspect of
anonymity.    Because  linkability   in
anonymous    digital   cash    involves
cryptological   protocols,     it    is
actually  a  probability concept:   how
probable is it that two payments can be
accurately  identified as  having  been
made  by  the same user?  Unlinkability
means such probability is negligible.

      "Untraceability"  refers  to  the
inability   of   a   bank   to    match
withdrawals   of  digital   cash   with
subsequent    payments.      To    have
untraceability,   the   information   a
person  reveals about himself by making
payments    must    be    statistically
independent of the information a person
reveals   about   himself   by   making
withdrawals.   Of course if  the  bank,
even  when  colluding  with  merchants,
can't   link   or  trace   a   person's
transactions--even in probability terms-
-then  neither can FINCEN or  the  NSA.
Anonymity  and privacy thus  ultimately
hinges  on  concealing  this  type   of
information from the bank itself.

      But  such  anonymity,  naturally,
raises  the  issue of the  selectively-
enforced  money-laundering  laws.   The
prevention   of   money-laundering   is
stated as a principal raison d'ˆtre for
Sandia's e-cash system of non-anonymous
"anonymity":

     "Money  laundering . .  .  is
     hampered by physical cash and
     would  be  made easier  by  a
     completely          anonymous
     electronic counterpart. . . .
     With anonymous e-cash, money-
     laundering would be as simple
     as   depositing  one  set  of
     electronic  "coins"   in   an
     account under an assumed name
     and  withdrawing another  set
     from   the   same   account."
     (Peter  S. Gemmel, "Traceable
     e-cash," Technology  and  the
     Electronic   Economy,    IEEE
     Spectrum, February 1997.)

        To   prevent   such   nefarious
activity,  Sandia  even  envisions  one
future world in which individuals would
be  required to submit regular  reports
of  their financial transactions to the
government:

     "In a different trustee-based
     e-cash   system,  the  users'
     "wallet"    software    would
     require  them to  supply  the
     authorities from time to time
     with    transaction   records
     stored  in  their  electronic
     wallets  and  encrypted  with
     their tracing keys." (Ibid.)
     
This proposal is somewhat similar to  a
requirement  to  regularly  send  one's
bank  statements to the IRS for filing,
with a committee controlling access  to
the file cabinet.

      While  Sandia ponders the  future
needs  of Big Brother government,  over
at   the  Treasury,  meanwhile,  Robert
Rubin has appointed the Comptroller  of
the  Currency,  Eugene Ludwig,  as  the
point man to oversee government efforts
to  keep  a  peephole into  every  bank
account.  To this end, Ludwig--when  he
is   not   attending  Clinton   coffee-
klatsches--coordinates  the  electronic
cash   spying  plans  of  FINCEN,  U.S.
Customs,  the IRS, the Secret  Service,
ATF,  and the Office of Foreign  Assets
Control.

February 27, 1997
Web Page:  http://www.aci.net/kalliste/