From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@cyberpass.net
Message Hash: 0f8a8d53a1bc28d5fc832a36fef93dfc323700725a149fed6145222b18d58804
Message ID: <v0302095daf90224fa770@[139.167.130.247]>
Reply To: <199705022130.OAA01562@crypt.hfinney.com>
UTC Datetime: 1997-05-03 01:37:58 UTC
Raw Date: Sat, 3 May 1997 09:37:58 +0800
From: Robert Hettinga <rah@shipwright.com>
Date: Sat, 3 May 1997 09:37:58 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Bypassing the Digicash Patents
In-Reply-To: <199705022130.OAA01562@crypt.hfinney.com>
Message-ID: <v0302095daf90224fa770@[139.167.130.247]>
MIME-Version: 1.0
Content-Type: text/plain
At 5:30 pm -0400 on 5/2/97, Hal Finney wrote:
> Bob, if I understand you correctly, you've suggested that digital
> bearer instruments will in the long run actually be more efficient than
> conventional book entry based transaction models. Anonymity will be
> cheaper than identified transactions.
Exactly. In the same way that physical bearer certificates were cheaper to
use than handwritten book entries. Before telegraphy, anyway. It was
telegraphy, more than anything else, which forced the creation of
book-entry settlement (using, actually, encrypted messages and prearranged
authentication codes), because you could do trades at a distance, which you
couldn't do with paper certificates. Database-enabled accounting was what
killed large and abstract value physical bearer certificates once and for
all. Especially when you could swap data sets with tape or disk packs from
machine to machine. (Notice I didn't say tax law. The book entries had to
be there before you could tax them. :-). Law follows reality, not the other
way around. We get the government we deserve [afford], a constituency of
idiots will elect one, and all that tosh.)
I claim that as you get closer to completely offline digital bearer
certificates, you bring back the competitive advantage of bearer
certificates. Right now, we're pretty much in the on-line digital bearer
certificate stage of things, but I'm claiming that even *that* makes it
possible to supplant very large pieces of the book entry hierarchy we've
managed to build in the industrial age. Particularly in the case of
peer-to-peer transactions over great physical -- or regulatory :-) --
distances.
> But, if digital bearer certificates of all kinds are, as you suggest,
> cheaper and more efficient than conventional ones, why can't we just
> use ordinary non-blinded digital instruments and ignore the identifying
> information?
I claim that the very futility of tracing those certificates creates the
greatest saving, especially if the only thing you really care about is
whether the trade will clear. The primary reason for keeping archives of
transactions is so that you can hire a cop to hunt down someone and send
them to jail when they stiff you. If you can't hunt them down, you don't
have to pay the cop. :-). Cops cost lots, as most people on cypherpunks
would agree. With a completely anonymous system like Chaum's, you *really*
have to trust the reputation of entity backing the certificates, but you
don't give a fig about who gives you the money itself. "Cash is King",
right? Since there are many more buyers and sellers than certificate
underwriters, and since the underwriter only keeps records of spent
certificates and not all transactions (and is probably expiring keys and
issues of certificates to keep the on-line storage load manageable), then
at least two sets of transaction book entries (those of the buyer and
seller) disappear, and the bookeeping load of the issuer is much less than
that of a typical book-entry intermediary like a clearinghouse. Not to
mention the offsetting book-entries of the clearing system linking multiple
clearing entities. Actually, that's more an artifact of a geodesic network,
and not of a digital bearer certifcate transaction system itself.
> This makes them less attractive from the privacy perspective, but what
> about from the point of view of the financial markets? Can they just
> ignore the serial numbers and treat them as the bearer certificates you
> have been talking about? (Don't real bearer certificates often have
> serial numbers on them?)
Yup. Actually, dollar bills have serial numbers. Bearer bonds had serial
numbers. That's how you controlled the amount in circulation, and could
detect some kinds of fraud, because the number of certificates issued is a
published figure. But the serial number's not important from a privacy
perspective once a certificate changes hands several times, especially if
the population of certificates is large, like it is with dollar bills.
Even the coupons, the little bits you hacked off and sent in every quarter
to get paid interest, had serial numbers. However, notice that you didn't
need to know *who* was sending in the coupon. The coupon itself was it's
own proof for redemption. You just sent back a check payable to the person
who sent in the coupon, or if the person, or person's messenger, showed up
physically, you paid cash. Remember $10,000, or $100K bills? That's what
they were primarily for. Cash settlement of things like large bond
transactions. Paper for paper.
Anyway, it's when you start registering certificates, and keeping track of
who owns what, that you get the cost explosion. In that case, you're right.
You could do it without blinding. Dan Simon's cash system for Microsoft
operates kind of like that. You can track the original purchaser at the
initial purchase, but after it's gone through a few secondary trades,
including ones with yourself, tracking them is pretty much impossible.
Chaum's current version of ecash has this, um, feature, which Ian Goldberg
has now conveniently dispatched. Frankly, the model I promote now, with a
book-entry bank as a trustee, has this problem, because you need a
book-entry account at your own bank to bring money on and off the net. Of
course, at some point, you could do this anonymously and in person at a
currency exchange, with a bag of cash. :-). Fortunately, as I said today in
a reply to Adam Back, when you create other assets on the net besides cash,
and can issue them in bearer form, the problem of requiring identity for
authentication goes away, because the book entries are no longer there
there to repudiate.
> Maybe this geodesic market you're talking about (which I don't understand
> at all) could work with current technology?
Moore's Law makes a given public network appear increasingly "geodesic",
like Bucky Fuller's geodesic structures, because nodes (switches,
processors) are comparatively cheaper than lines to build. The geodesic
market is a market which lives on a geodesic network, which, as Moore's law
progresses, creates smaller and smaller financial entities -- eventually
automated ones -- as measured by asset size or cashflow. That's because a
given amount of money, invested in an increasingly larger swarm of
distributed hardware "nodes", can handle more transactions, and/or smaller
amounts of money, as processor prices drop.
I claim that a cash-settled, digital bearer certificate market is what will
function best on a geodesic network, because it costs less to run for the
reasons I outlined above.
I further claim that the most efficient digital bearer certificate is an
anonymous one.
You get anonymity because it's a waste of resources to keep track of people
who pay you in cash. And, if the system is strongly anonymous from the
outset (and perfect pseudonymity is functionally anonymous), you won't even
try.
Cheers,
Bob Hettinga
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
Lesley Stahl: "You mean *anyone* can set up a web site and compete
with the New York Times?"
Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?"
The e$ Home Page: http://www.shipwright.com/
Return to May 1997
Return to “Robert Hettinga <rah@shipwright.com>”